Loading ...

Analysis Report Scan Copy.scr

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123510
Start date:15.04.2019
Start time:22:14:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Scan Copy.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:32
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.phis.troj.spyw.evad.winEXE@52/283@2/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.7% (good quality ratio 95.8%)
  • Quality average: 85.6%
  • Quality standard deviation: 23.2%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 70
  • Number of non-executed functions: 261
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: RegAsm.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold920 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts2Command-Line Interface1Valid Accounts2Valid Accounts2Software Packing2Input Capture11Network Service Scanning1Application Deployment SoftwareInput Capture11Data Encrypted2Uncommonly Used Port1
Replication Through Removable MediaGraphical User Interface2Port MonitorsProcess Injection11Valid Accounts2Credentials in Registry1Process Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools11Credentials in Files2Account Discovery1Windows Remote ManagementClipboard Data2Automated ExfiltrationRemote Access Tools1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesSecurity Software Discovery61Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery25Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus and Machine Learning detection for unpacked fileShow sources
Source: 2.1.vbc.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
Source: 0.3.Scan Copy.exe.e90000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D24696
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D23D4E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D2C9C7
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2C93C FindFirstFileW,FindClose,0_2_00D2C93C
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D2F200
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D2F35D
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D2F65E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D23A2B
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D2BF27
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_1_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_1_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_1_00407E0E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49799 -> 194.5.98.9:20022
Source: TrafficSnort IDS: 2025018 ET TROJAN Possible NanoCore C2 64B 192.168.2.5:49799 -> 194.5.98.9:20022
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49800 -> 194.5.98.9:20022
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49799 -> 194.5.98.9:20022
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.9
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Sends SSDP (simple service discovery protocol) broadcast queriesShow sources
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.2.5:62550 -> 239.255.255.250:1900
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00D325E2
Found strings which match to known social media urlsShow sources
Source: 1052f03495d4635b_1.6.drString found in binary or memory: &https://twitter.com/intent/tweet?text= equals www.twitter.com (Twitter)
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: </script><div class="gb_wa"><div class="gb_A gb_z gb_O" aria-label="Google-Apps" aria-hidden="true" role="region"><ul class="gb_C gb_u" aria-dropeffect="move"><li class="gb_h" aria-grabbed="false"><a class="gb_c" data-pid="192" draggable="false" href="https://myaccount.google.com/?utm_source=OGB&amp;tab=wk&amp;utm_medium=app" id="gb192"><div class="gb_q"></div><div class="gb_r"></div><div class="gb_s"></div><div class="gb_t"></div><span class="gb_k" style="background-position:0 -69px"></span><span class="gb_m">Google-Konto</span></a></li><li class="gb_h" aria-grabbed="false"><a class="gb_c" data-pid="1" draggable="false" href="https://www.google.ch/webhp?tab=ww" id="gb1"><div class="gb_q"></div><div class="gb_r"></div><div class="gb_s"></div><div class="gb_t"></div><span class="gb_k" style="background-position:0 -1311px"></span><span class="gb_m">Suche</span></a></li><li class="gb_h" aria-grabbed="false"><a class="gb_c" data-pid="8" draggable="false" href="https://maps.google.ch/maps?hl=de&amp;tab=wl" id="gb8"
Source: vbc.exe, 00000003.00000001.5107268956.0000000000400000.00000040.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000001.5107268956.0000000000400000.00000040.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000002.00000001.5102998128.0000000000418000.00000040.sdmpString found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: 1052f03495d4635b_1.6.drString found in binary or memory: Z+Bhttps://www.facebook.com/dialog/share?app_id=738026486351791&href= equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.5120872172.0000000000B9C000.00000004.sdmpString found in binary or memory: d=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login\m equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.5120872172.0000000000B9C000.00000004.sdmpString found in binary or memory: d=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login\m equals www.yahoo.com (Yahoo)
Source: 1052f03495d4635b_0.6.drString found in binary or memory: encodeURIComponent(n)+"&hashtag="+encodeURIComponent("#GoogleDoodle");ntp_Bt(p)};f.onclick=function(){var p="https://twitter.com/intent/tweet?text="+encodeURIComponent(m+"\n"+n);ntp_Bt(p)};g.onclick=function(){var p="mailto:?subject="+encodeURIComponent(m)+"&body="+encodeURIComponent(n);ntp_$j(document.location,p)};k.value=n;k.addEventListener("click",function(){return k.select()});k.setAttribute("readonly",!0);h.onclick=function(){k.select();document.execCommand("copy")};return!0},ntp_3s=function(a){if(a.o){var b= equals www.twitter.com (Twitter)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 1052f03495d4635b_1.6.drString found in binary or memory: https://twitter.com/intent/tweet?text= equals www.twitter.com (Twitter)
Source: 1052f03495d4635b_1.6.drString found in binary or memory: https://www.facebook.com/dialog/share?app_id=738026486351791&href= equals www.facebook.com (Facebook)
Source: 1052f03495d4635b_0.6.drString found in binary or memory: var b=ntp_Ho("ntpsd"),c=ntp_Ho("ntpsd-title"),d=ntp_Ho("ntpsd-close"),e=ntp_Ho("ntpsd-fbb"),f=ntp_Ho("ntpsd-twb"),g=ntp_Ho("ntpsd-emb"),h=ntp_Ho("ntpsd-copy"),k=ntp_Ho("ntpsd-text");if(null==b||null==c||null==d||null==e||null==f||null==g||null==h||null==k)return!1;var l=function(){b.close()};d.onclick=l;b.onclick=function(p){p.target===b&&l()};var m=a.o.alt;ntp_Fd(c,ntp_2k(m));var n=a.o.share_url;n.indexOf(!1)&&(n="https:"+n);e.onclick=function(){var p="https://www.facebook.com/dialog/share?app_id=738026486351791&href="+ equals www.facebook.com (Facebook)
Source: mirroring_common.js.25.drString found in binary or memory: var ko={YouTube:"https://tv.youtube.com https://tv-green-qa.youtube.com https://tv-release-qa.youtube.com https://web-green-qa.youtube.com https://web-release-qa.youtube.com https://www.youtube.com".split(" "),Netflix:["https://www.netflix.com"],Pandora:["https://www.pandora.com"],Radio:["https://www.pandora.com"],Hulu:["https://www.hulu.com"],Vimeo:["https://www.vimeo.com"],Dailymotion:["https://www.dailymotion.com"],"com.dailymotion":["https://www.dailymotion.com"]},ho=/Eureka Dongle|Chromecast Audio|Chromecast Ultra/i, equals www.youtube.com (Youtube)
Source: mirroring_common.js.25.drString found in binary or memory: window.gapi;if(!c)return a.m.error("gapi not loaded."),!1;a.m.info("Setting gapi auth token");c.auth.setToken({access_token:b});return!0})};jr.prototype.ya=function(){return"IdentityService"};jr.prototype.eb=function(){return[null,{signedIn:this.f,userEmail:this.b,kioskAuth:this.h}]};jr.prototype.cb=function(){var a=cj(this);a&&(a.signedIn&&(this.f=a.signedIn),a.userEmail&&(this.b=a.userEmail),a.kioskAuth&&(this.h=a.kioskAuth))};var or="cloudview.test@gmail.com castouts.qa.nohangouts@gmail.com castouts.qa@gmail.com castouts-qa.com castouts-test.com google.com youtube.com nest.com waze.com netflix.com twitter.com yahoo.com salesforce.com whirlpool.com nytimes.com kohls.com squareup.com ivci.com".split(" ");var pr=function(a){var b=a.method,c=a.uri,d=a.Qb,e=a.sc,f=a.rl,h=a.headers,l=a.body,t=a.start,u=a.apiKey,A=a.tg;a=a.bb;this.method=b&&b.toUpperCase()||"GET";(b=c)||(d=[d].concat(n(e||[])).join("/"),d=new Uo(encodeURI(d)),f&&(f=jp(f),Xo(d,f)),b=d);this.uri=b;u&&this.uri.f.add("key",u);this.b=a||null;this.heade
Source: mirroring_common.js.25.drString found in binary or memory: window.gapi;if(!c)return a.m.error("gapi not loaded."),!1;a.m.info("Setting gapi auth token");c.auth.setToken({access_token:b});return!0})};jr.prototype.ya=function(){return"IdentityService"};jr.prototype.eb=function(){return[null,{signedIn:this.f,userEmail:this.b,kioskAuth:this.h}]};jr.prototype.cb=function(){var a=cj(this);a&&(a.signedIn&&(this.f=a.signedIn),a.userEmail&&(this.b=a.userEmail),a.kioskAuth&&(this.h=a.kioskAuth))};var or="cloudview.test@gmail.com castouts.qa.nohangouts@gmail.com castouts.qa@gmail.com castouts-qa.com castouts-test.com google.com youtube.com nest.com waze.com netflix.com twitter.com yahoo.com salesforce.com whirlpool.com nytimes.com kohls.com squareup.com ivci.com".split(" ");var pr=function(a){var b=a.method,c=a.uri,d=a.Qb,e=a.sc,f=a.rl,h=a.headers,l=a.body,t=a.start,u=a.apiKey,A=a.tg;a=a.bb;this.method=b&&b.toUpperCase()||"GET";(b=c)||(d=[d].concat(n(e||[])).join("/"),d=new Uo(encodeURI(d)),f&&(f=jp(f),Xo(d,f)),b=d);this.uri=b;u&&this.uri.f.add("key",u);this.b=a||null;this.heade
Source: mirroring_common.js.25.drString found in binary or memory: window.gapi;if(!c)return a.m.error("gapi not loaded."),!1;a.m.info("Setting gapi auth token");c.auth.setToken({access_token:b});return!0})};jr.prototype.ya=function(){return"IdentityService"};jr.prototype.eb=function(){return[null,{signedIn:this.f,userEmail:this.b,kioskAuth:this.h}]};jr.prototype.cb=function(){var a=cj(this);a&&(a.signedIn&&(this.f=a.signedIn),a.userEmail&&(this.b=a.userEmail),a.kioskAuth&&(this.h=a.kioskAuth))};var or="cloudview.test@gmail.com castouts.qa.nohangouts@gmail.com castouts.qa@gmail.com castouts-qa.com castouts-test.com google.com youtube.com nest.com waze.com netflix.com twitter.com yahoo.com salesforce.com whirlpool.com nytimes.com kohls.com squareup.com ivci.com".split(" ");var pr=function(a){var b=a.method,c=a.uri,d=a.Qb,e=a.sc,f=a.rl,h=a.headers,l=a.body,t=a.start,u=a.apiKey,A=a.tg;a=a.bb;this.method=b&&b.toUpperCase()||"GET";(b=c)||(d=[d].concat(n(e||[])).join("/"),d=new Uo(encodeURI(d)),f&&(f=jp(f),Xo(d,f)),b=d);this.uri=b;u&&this.uri.f.add("key",u);this.b=a||null;this.heade
Source: RegAsm.exe, 00000001.00000003.4911984309.00000000040F0000.00000004.sdmpString found in binary or memory: youtube equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.google.ch
Urls found in memory or binary dataShow sources
Source: angular.js.25.drString found in binary or memory: http://angularjs.org
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: angular.js.25.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: http://google.com
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: f1cdccba37924bda_0.6.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: mirroring_hangouts.js.25.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: http://www.broofa.com
Source: craw_window.js.20.dr, cast_game_sender.js.25.dr, craw_background.js.20.drString found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-C
Source: mirroring_hangouts.js.25.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.25.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: vbc.exe, 00000003.00000003.5119989199.000000000235D000.00000004.sdmpString found in binary or memory: http://www.msn.com/
Source: vbc.exe, vbc.exe, 00000003.00000001.5107268956.0000000000400000.00000040.sdmp, vbc.exe, 00000003.00000002.5123033069.0000000000194000.00000004.sdmp, ksnmse2n.0su.2.dr, wfryduns.nc4.3.drString found in binary or memory: http://www.nirsoft.net/
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://accounts.google.com
Source: craw_window.js.20.drString found in binary or memory: https://accounts.google.com/MergeSession
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://adservice.google.ch/adsid/google/ui
Source: 8e6180bc791246b8_0.6.dr, manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://apis.google.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://apis.google.com/js/api.js
Source: mirroring_common.js.25.drString found in binary or memory: https://apis.google.com/js/client.js
Source: cast_app.js.25.drString found in binary or memory: https://castappui.google.com
Source: mirroring_common.js.25.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: mirroring_hangouts.js.25.dr, mirroring_cast_streaming.js.25.drString found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: cast_app.js.25.drString found in binary or memory: https://clients3.google.com/cast/chromecast/home/gsse?rt=j&hl=
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://clients6.google.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://consent.google.ch/setx?hl
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://consent.google.com?hl
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://contacts.google.com/?hl=de&amp;tab=wC
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://content.googleapis.com
Source: common.js.25.dr, mirroring_cast_streaming.js.25.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: mirroring_common.js.25.drString found in binary or memory: https://docs.google.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://drive.google.com/?tab=wo
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://feedback.googleusercontent.com
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://fonts.googleapis.com;
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://fonts.gstatic.com;
Source: material_css_min.css.25.drString found in binary or memory: https://github.com/angular/material
Source: craw_window.js.20.dr, cast_game_sender.js.25.dr, craw_background.js.20.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://hangouts.google.com/
Source: mirroring_common.js.25.drString found in binary or memory: https://hangouts.google.com/cloudmrp-mirroring
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://maps.google.ch/maps?hl=de&amp;tab=wl
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://meetings.clients6.google.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://myaccount.google.com/?utm_source=OGB&amp;tab=wk&amp;utm_medium=app
Source: mirroring_common.js.25.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://news.google.ch/nwshp?hl=de&amp;tab=wn
Source: craw_window.js.20.dr, manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: f1cdccba37924bda_0.6.drString found in binary or memory: https://pki.goog/repository/0
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://play.google.com/?hl=de&amp;tab=w8
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://play.google.com/log?format=json
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://play.googleapis.com/staging/log
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://s2.googleusercontent.com/s2/favicons
Source: craw_window.js.20.dr, manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_27.png)
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_96.png)
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://support.google.com/chrome/?p
Source: messages.json62.6.dr, feedback.html.25.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://support.google.com/websearch/answer/106230?hl=de-CH
Source: vbc.exe, 00000003.00000003.5120783504.000000000235B000.00000004.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpprod
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://translate.google.ch/?hl=de&amp;tab=wT
Source: mirroring_common.js.25.drString found in binary or memory: https://tv-green-qa.youtube.com
Source: mirroring_common.js.25.drString found in binary or memory: https://tv-release-qa.youtube.com
Source: mirroring_common.js.25.drString found in binary or memory: https://tv.youtube.com
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mirroring_common.js.25.drString found in binary or memory: https://web-green-qa.youtube.com
Source: mirroring_common.js.25.drString found in binary or memory: https://web-release-qa.youtube.com
Source: craw_window.js.20.dr, craw_background.js.20.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: mirroring_common.js.25.drString found in binary or memory: https://www.dailymotion.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch
Source: 000003.log2.6.drString found in binary or memory: https://www.google.ch/
Source: 000003.log2.6.drString found in binary or memory: https://www.google.ch/1
Source: 000003.log2.6.drString found in binary or memory: https://www.google.ch/_/chrome/
Source: f1cdccba37924bda_1.6.dr, 000003.log2.6.drString found in binary or memory: https://www.google.ch/_/chrome/newtab-serviceworker.js
Source: Current Session.6.drString found in binary or memory: https://www.google.ch/_/chrome/newtab?ie=UTF-8
Source: Current Session.6.drString found in binary or memory: https://www.google.ch/_/chrome/newtab?ie=UTF-8T#
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/about/%3Futm_source%3Dgoogle-CH%26utm_medium%3Dreferral%26utm_campa
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/about/?utm_source=google-CH&amp;utm_medium=referral&amp;utm_campaig
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/ads/%3Fsubid%3Dww-ww-et-g-awa-a-g_hpafoot1_1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/ads/?subid=ww-ww-et-g-awa-a-g_hpafoot1_1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/policies/terms/%3Ffg%3D1&amp;ved=0ahUKEwiezKWW9dLhAhWtwqYKHcBDBbcQ8
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/intl/de_ch/policies/terms/?fg=1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/preferences%3Fhl%3Dde&amp;ved=0ahUKEwiezKWW9dLhAhWtwqYKHcBDBbcQzq0CCBM
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/preferences?hl=de
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/preferences?hl=de-CH&amp;fg=1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/services/%3Fsubid%3Dww-ww-et-g-awa-a-g_hpbfoot1_1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/setprefs?sig=0_hEhoeN8uEBYGmp8JSNtJTZc2dV4%3D&amp;hl=en&amp;source=homepage&am
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/setprefs?sig=0_hEhoeN8uEBYGmp8JSNtJTZc2dV4%3D&amp;hl=fr&amp;source=homepage&am
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/setprefs?sig=0_hEhoeN8uEBYGmp8JSNtJTZc2dV4%3D&amp;hl=it&amp;source=homepage&am
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/setprefs?sig=0_hEhoeN8uEBYGmp8JSNtJTZc2dV4%3D&amp;hl=rm&amp;source=homepage&am
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.ch/webhp?tab=ww
Source: f0087415a20149cf_1.6.drString found in binary or memory: https://www.google.ch/xjs/_/js/k=xjs.ntp.en.8lTzC9mO2yg.O/am=AIgBHJkK/rt=j/d=1/exm=sx
Source: 1052f03495d4635b_0.6.drString found in binary or memory: https://www.google.ch/xjs/_/js/k=xjs.ntp.en.eD7sbRRon7M.O/m=jsa
Source: 8e6180bc791246b8_0.6.dr, manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.google.com
Source: QuotaManager-journal.6.dr, manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.google.com/
Source: craw_window.js.20.dr, craw_background.js.20.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.google.com/calendar?tab=wc
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.google.com/chromecast/
Source: craw_window.js.20.drString found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.20.drString found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.20.drString found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.20.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.25.drString found in binary or memory: https://www.google.com/log?format=json
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.25.drString found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.google.com;
Source: craw_window.js.20.dr, mirroring_hangouts.js.25.dr, craw_background.js.20.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.18.dr, manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.25.drString found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.25.drString found in binary or memory: https://www.googleapis.com/clouddevices/v1
Source: mirroring_common.js.25.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://www.gstatic.com/travel-trips-fe/svg/ic_events_24px.svg)no-repeat
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://www.gstatic.com/travel-trips-fe/svg/ic_restaurants_24px.svg)no-repeat
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://www.gstatic.com/travel-trips-fe/svg/ic_top_sights_24px.svg)no-repeat
Source: 1052f03495d4635b_1.6.dr, 1052f03495d4635b_0.6.drString found in binary or memory: https://www.gstatic.com/travel-trips-fe/svg/ic_weather_24px.svg)no-repeat
Source: manifest.json.23.dr, manifest.json0.6.drString found in binary or memory: https://www.gstatic.com;
Source: vbc.exe, 00000003.00000003.5117055380.000000000236C000.00000004.sdmp, vbc.exe, 00000003.00000003.5121431200.0000000000B9B000.00000004.sdmpString found in binary or memory: https://www.heise.de/javascript:try
Source: mirroring_common.js.25.drString found in binary or memory: https://www.hulu.com
Source: mirroring_common.js.25.drString found in binary or memory: https://www.netflix.com
Source: mirroring_common.js.25.drString found in binary or memory: https://www.pandora.com
Source: mirroring_common.js.25.drString found in binary or memory: https://www.vimeo.com
Source: mirroring_common.js.25.drString found in binary or memory: https://www.youtube.com
Source: 8e6180bc791246b8_0.6.drString found in binary or memory: https://www.youtube.com/?gl=CH
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00D3425A
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00D3425A
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00D20219

System Summary:

barindex
Binary is likely a compiled AutoIt script fileShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: This is a third-party compiled AutoIt script.0_2_00CC3B4C
Source: Scan Copy.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Scan Copy.exe, 00000000.00000002.5068972253.0000000000D4F000.00000002.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Scan Copy.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: Scan Copy.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_1_00408836
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00D240B1
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D18858
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00D2545F
Creates mutexesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeMutant created: \Sessions\1\BaseNamedObjects\audioresourceregistrar
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1a8c52b8-cb39-403f-a045-5b3521f5a9df}
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CCE0600_2_00CCE060
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CCE8000_2_00CCE800
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE33C70_2_00CE33C7
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CCFE400_2_00CCFE40
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D4804A0_2_00D4804A
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD41400_2_00CD4140
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE24050_2_00CE2405
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF65220_2_00CF6522
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF267E0_2_00CF267E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D406650_2_00D40665
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD68430_2_00CD6843
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE283A0_2_00CE283A
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF89DF0_2_00CF89DF
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D40AE20_2_00D40AE2
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF6A940_2_00CF6A94
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD8A0E0_2_00CD8A0E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D28B130_2_00D28B13
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D1EB070_2_00D1EB07
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CECD610_2_00CECD61
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF70060_2_00CF7006
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD31900_2_00CD3190
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD710E0_2_00CD710E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC12870_2_00CC1287
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CEF4190_2_00CEF419
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE16C40_2_00CE16C4
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD56800_2_00CD5680
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CD58C00_2_00CD58C0
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE78D30_2_00CE78D3
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE1BB80_2_00CE1BB8
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CEDBB50_2_00CEDBB5
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF9D050_2_00CF9D05
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE1FD00_2_00CE1FD0
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CEBFE60_2_00CEBFE6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404DDB2_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040BD8A2_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404E4C2_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404EBD2_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404F4E2_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00404DDB2_1_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_0040BD8A2_1_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00404E4C2_1_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00404EBD2_1_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00404F4E2_1_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004044193_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045163_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004135383_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004145A13_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040E6393_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004337AF3_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004399B13_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043DAE73_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00405CF63_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00403F853_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00411F993_2_00411F99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004044193_1_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004045163_1_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004135383_1_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004145A13_1_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_0040E6393_1_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004337AF3_1_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_004399B13_1_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_0043DAE73_1_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00405CF63_1_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00403F853_1_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00411F993_1_00411F99
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004118A0 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 176 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411544 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004076A9 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042D603 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442562 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004115B2 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442580 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442574 appears 36 times
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: String function: 00CE0D27 appears 70 times
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: String function: 00CC7F41 appears 35 times
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: String function: 00CE8B40 appears 42 times
PE file contains strange resourcesShow sources
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Scan Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 00000000.00000003.5059291997.00000000003D9000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4891663239.0000000000240000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4896829432.0000000000240000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4892863875.000000000030E000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4896238314.0000000000276000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4894561185.00000000003A6000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4893798951.0000000000374000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4894302706.0000000000340000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4895743430.00000000003A7000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4890848293.0000000000341000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.5059664940.0000000000243000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.4898135542.0000000000E92000.00000040.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.5060082263.00000000003A6000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.5059892395.0000000000341000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.5061514626.000000000030E000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.Scan Copy.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.Scan Copy.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Classification labelShow sources
Source: classification engineClassification label: mal92.phis.troj.spyw.evad.winEXE@52/283@2/3
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2A2D5 GetLastError,FormatMessageW,0_2_00D2A2D5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D18713 AdjustTokenPrivileges,CloseHandle,0_2_00D18713
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00D18CC3
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00D2B59E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00D3F121
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00D386D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00CC4FE9
Creates files inside the user directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\ksnmse2n.0suJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Scan Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000003.00000001.5107268956.0000000000400000.00000040.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample might require command line arguments (.Net)Show sources
Source: Scan Copy.exeString found in binary or memory: #comments-start
Source: Scan Copy.exeString found in binary or memory: EAutoIt v3TaskbarCreatedScript PausedExit/AutoIt3ExecuteScript/AutoIt3ExecuteLine/AutoIt3OutputDebug/ErrorStdOutCMDLINECMDLINERAW>>>AUTOIT NO CMDEXECUTE<<<\AutoIt v3 GUIedit SCRIPTGetNativeSystemInfokernel32.dllrb#comments-end#ce#comments-start#cs
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Scan Copy.exe 'C:\Users\user\Desktop\Scan Copy.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ksnmse2n.0su'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wfryduns.nc4'
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=crashpad-handler '--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler '--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad' '--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=70.0.3538.102 --initial-client-data=0x1d4,0x1d8,0x1dc,0x1d0,0x1e0,0x7ffbabdc54d0,0x7ffbabdc54e0,0x7ffbabdc54f0
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=watcher --main-thread-id=2652 --on-initialized-event-handle=652 --parent-handle=656 /prefetch:6
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=1356842001423792367 --mojo-platform-channel-handle=1540 --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --service-pipe-token=5753046221801148915 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5753046221801148915 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=790297802603284971 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=790297802603284971 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=5397054880529421805 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5397054880529421805 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=9600103168803514220 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9600103168803514220 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=7281898165451541647 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7281898165451541647 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=2766349167648228370 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2766349167648228370 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15358652876021970593 --mojo-platform-channel-handle=4832 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13454238612049800161 --mojo-platform-channel-handle=5448 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10205432272691095512 --mojo-platform-channel-handle=5852 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11844506623908068485 --mojo-platform-channel-handle=5880 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6426661071507971882 --mojo-platform-channel-handle=5932 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=16920755699783900528 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16920755699783900528 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12499384309852807203 --mojo-platform-channel-handle=5636 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5633460633593709161 --mojo-platform-channel-handle=6324 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6244100719481708259 --mojo-platform-channel-handle=6116 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=11981225964935849909 --mojo-platform-channel-handle=5840 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18366797056451876799 --mojo-platform-channel-handle=6028 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=8036913439218428935 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8036913439218428935 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --no-sandbox --service-request-channel-token=9293926589365566293 --mojo-platform-channel-handle=2344 /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13774192371078126979 --mojo-platform-channel-handle=2344 --ignored=' --type=renderer ' /prefetch:8
Source: C:\Users\user\Desktop\Scan Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ksnmse2n.0su'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wfryduns.nc4'Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=crashpad-handler '--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler '--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad' '--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=70.0.3538.102 --initial-client-data=0x1d4,0x1d8,0x1dc,0x1d0,0x1e0,0x7ffbabdc54d0,0x7ffbabdc54e0,0x7ffbabdc54f0Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=watcher --main-thread-id=2652 --on-initialized-event-handle=652 --parent-handle=656 /prefetch:6Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=1356842001423792367 --mojo-platform-channel-handle=1540 --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --service-pipe-token=5753046221801148915 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5753046221801148915 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=790297802603284971 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=790297802603284971 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=5397054880529421805 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5397054880529421805 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=9600103168803514220 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9600103168803514220 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=7281898165451541647 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7281898165451541647 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=2766349167648228370 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2766349167648228370 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15358652876021970593 --mojo-platform-channel-handle=4832 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13454238612049800161 --mojo-platform-channel-handle=5448 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10205432272691095512 --mojo-platform-channel-handle=5852 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11844506623908068485 --mojo-platform-channel-handle=5880 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6426661071507971882 --mojo-platform-channel-handle=5932 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=16920755699783900528 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16920755699783900528 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12499384309852807203 --mojo-platform-channel-handle=5636 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5633460633593709161 --mojo-platform-channel-handle=6324 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6244100719481708259 --mojo-platform-channel-handle=6116 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=11981225964935849909 --mojo-platform-channel-handle=5840 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18366797056451876799 --mojo-platform-channel-handle=6028 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=8036913439218428935 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8036913439218428935 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Scan Copy.exeStatic file information: File size 1301504 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: Scan Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: vbc.exe
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: Scan Copy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan Copy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan Copy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan Copy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan Copy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D3C304 LoadLibraryA,GetProcAddress,0_2_00D3C304
PE file contains an invalid checksumShow sources
Source: Scan Copy.exeStatic PE information: real checksum: 0xe555d should be: 0x141402
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE8B85 push ecx; ret 0_2_00CE8B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00411879 push ecx; ret 2_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret 2_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004118A0 push eax; ret 2_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00411879 push ecx; ret 2_1_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_004118A0 push eax; ret 2_1_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_004118A0 push eax; ret 2_1_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442871 push ecx; ret 3_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret 3_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00442A90 push eax; ret 3_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00446E54 push eax; ret 3_2_00446E61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00442871 push ecx; ret 3_1_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00442A90 push eax; ret 3_1_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00442A90 push eax; ret 3_1_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00446E54 push eax; ret 3_1_00446E61
.NET source code contains many randomly named methodsShow sources
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.3.Scan Copy.exe.e90000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00CC4A35
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00D455FD
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CE33C7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeWindow / User API: threadDelayed 884Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 658Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 538Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-98005
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeAPI coverage: 4.5 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Scan Copy.exe TID: 148Thread sleep count: 884 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 860Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D24696
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D23D4E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D2C9C7
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2C93C FindFirstFileW,FindClose,0_2_00D2C93C
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D2F200
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D2F35D
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D2F65E
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D23A2B
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D2BF27
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_1_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,2_1_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,3_1_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_1_00407E0E FindFirstFileW,FindNextFileW,FindClose,3_1_00407E0E
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CC4AFE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Scan Copy.exe, 00000000.00000003.4884321865.00000000001FC000.00000004.sdmpBinary or memory string: QBPNCQEMUDFTILUZQXAVVCKAUXQREIGYHHQBGGSCQSFWUUKLTIe
Source: Scan Copy.exe, 00000000.00000003.5061915291.00000000001DD000.00000004.sdmpBinary or memory string: '$CQEMUDFTILUZQXAVVCKAUXQREIGYHHQBGGSCQSFWUUKLTI
Source: Scan Copy.exe, 00000000.00000003.5061287478.00000000001DF000.00000004.sdmpBinary or memory string: CQEMUDFTILUZQXAVVCKAUXQREIGYHHQBGGSCQSFWUUKLTI
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeAPI call chain: ExitProcess graph end nodegraph_0-98006
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D341FD BlockInput,0_2_00D341FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00CC3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00CF5CCC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,3_2_00408836
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D3C304 LoadLibraryA,GetProcAddress,0_2_00D3C304
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D181F7
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CEA364 SetUnhandledExceptionFilter,0_2_00CEA364
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CEA395
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D18C93 LogonUserW,0_2_00D18C93
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00CC3B4C
Contains functionality to simulate keystroke pressesShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00CC4A35
Contains functionality to simulate mouse eventsShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D24EC9 mouse_event,0_2_00D24EC9
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\ksnmse2n.0su'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\wfryduns.nc4'Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=crashpad-handler '--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler '--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad' '--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=70.0.3538.102 --initial-client-data=0x1d4,0x1d8,0x1dc,0x1d0,0x1e0,0x7ffbabdc54d0,0x7ffbabdc54e0,0x7ffbabdc54f0
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=1356842001423792367 --mojo-platform-channel-handle=1540 --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --service-pipe-token=5753046221801148915 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5753046221801148915 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=790297802603284971 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=790297802603284971 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=5397054880529421805 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5397054880529421805 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=9600103168803514220 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9600103168803514220 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=7281898165451541647 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7281898165451541647 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=2766349167648228370 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2766349167648228370 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15358652876021970593 --mojo-platform-channel-handle=4832 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13454238612049800161 --mojo-platform-channel-handle=5448 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10205432272691095512 --mojo-platform-channel-handle=5852 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11844506623908068485 --mojo-platform-channel-handle=5880 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6426661071507971882 --mojo-platform-channel-handle=5932 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=16920755699783900528 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16920755699783900528 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12499384309852807203 --mojo-platform-channel-handle=5636 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5633460633593709161 --mojo-platform-channel-handle=6324 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6244100719481708259 --mojo-platform-channel-handle=6116 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=11981225964935849909 --mojo-platform-channel-handle=5840 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18366797056451876799 --mojo-platform-channel-handle=6028 --ignored=' --type=renderer ' /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=8036913439218428935 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8036913439218428935 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --no-sandbox --service-request-channel-token=9293926589365566293 --mojo-platform-channel-handle=2344 /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13774192371078126979 --mojo-platform-channel-handle=2344 --ignored=' --type=renderer ' /prefetch:8
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=crashpad-handler '--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler '--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad' '--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data' --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=70.0.3538.102 --initial-client-data=0x1d4,0x1d8,0x1dc,0x1d0,0x1e0,0x7ffbabdc54d0,0x7ffbabdc54e0,0x7ffbabdc54f0Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=1356842001423792367 --mojo-platform-channel-handle=1540 --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --service-pipe-token=5753046221801148915 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5753046221801148915 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=790297802603284971 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=790297802603284971 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=5397054880529421805 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5397054880529421805 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=9600103168803514220 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9600103168803514220 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=7281898165451541647 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7281898165451541647 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=2766349167648228370 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2766349167648228370 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15358652876021970593 --mojo-platform-channel-handle=4832 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13454238612049800161 --mojo-platform-channel-handle=5448 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10205432272691095512 --mojo-platform-channel-handle=5852 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11844506623908068485 --mojo-platform-channel-handle=5880 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6426661071507971882 --mojo-platform-channel-handle=5932 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=16920755699783900528 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16920755699783900528 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12499384309852807203 --mojo-platform-channel-handle=5636 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5633460633593709161 --mojo-platform-channel-handle=6324 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6244100719481708259 --mojo-platform-channel-handle=6116 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=gpu-process --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=11981225964935849909 --mojo-platform-channel-handle=5840 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=utility --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18366797056451876799 --mojo-platform-channel-handle=6028 --ignored=' --type=renderer ' /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --type=renderer --field-trial-handle=1532,4017525764785232040,323689352464124271,131072 --disable-gpu-compositing --service-pipe-token=8036913439218428935 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8036913439218428935 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D181F7
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D24C03
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Scan Copy.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000001.00000003.5104181549.000000000612B000.00000004.sdmpBinary or memory string: Program Manager
Source: Scan Copy.exeBinary or memory string: Shell_TrayWnd
Source: KB_491203.dat.1.drBinary or memory string: [explorer] Program Manager

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CE886B cpuid 0_2_00CE886B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00CF50D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D02230 GetUserNameW,0_2_00D02230
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00CF418A
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00CC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CC4AFE
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Scan Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword2_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword2_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword2_2_004033D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword2_1_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword2_1_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword2_1_004033D7
OS version to string mapping found (often used in BOTs)Show sources
Source: Scan Copy.exeBinary or memory string: WIN_81
Source: Scan Copy.exeBinary or memory string: WIN_XP
Source: Scan Copy.exeBinary or memory string: WIN_XPe
Source: Scan Copy.exeBinary or memory string: WIN_VISTA
Source: Scan Copy.exeBinary or memory string: WIN_7
Source: Scan Copy.exeBinary or memory string: WIN_8
Source: Scan Copy.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: Scan Copy.exe, 00000000.00000003.4891663239.0000000000240000.00000004.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHand
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleC
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.C
Source: RegAsm.exe, 00000001.00000003.4970400801.00000000044CA000.00000004.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCa
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00D36596
Source: C:\Users\user\Desktop\Scan Copy.exeCode function: 0_2_00D36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00D36A5A

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info