Loading ...

Play interactive tourEdit tour

Analysis Report ppOZLEmPr2.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:138114
Start date:03.06.2019
Start time:16:32:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ppOZLEmPr2.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winEXE@2/29@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 39.1% (good quality ratio 34.8%)
  • Quality average: 67.2%
  • Quality standard deviation: 35.3%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 80
  • Number of non-executed functions: 91
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingSystem Time Discovery1Application Deployment SoftwareClipboard Data1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSecurity Software Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery23Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: ppOZLEmPr2.exevirustotal: Detection: 55%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0103A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,10_2_0103A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01035DAE FindFirstFileW,10_2_01035DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_0103A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,10_1_0103A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_01035DAE FindFirstFileW,10_1_01035DAE

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://fontfabrik.com
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.fonts.com
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.sakkal.com
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.tiro.com
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.typography.netD
Source: ppOZLEmPr2.exe, 00000001.00000002.2294870331.0000000005746000.00000002.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0103765E OpenClipboard,10_2_0103765E

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_00E3E5F21_2_00E3E5F2
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_00E3E5F81_2_00E3E5F8
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_00E3BFE41_2_00E3BFE4
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_071776411_2_07177641
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_07172C501_2_07172C50
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_071709C81_2_071709C8
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_071738C81_2_071738C8
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_07172C501_2_07172C50
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_071746081_2_07174608
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_07174B601_2_07174B60
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_071776411_2_07177641
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_085368981_2_08536898
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 010429EC appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01034307 appears 246 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01043194 appears 116 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01034E9D appears 328 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 010431CA appears 74 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 0103851B appears 122 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01031E20 appears 34 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01042BBA appears 262 times
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: String function: 01043161 appears 176 times
Sample file is different than original file name gathered from version infoShow sources
Source: ppOZLEmPr2.exe, 00000001.00000001.571536517.00000000004D6000.00000002.sdmpBinary or memory string: OriginalFilenamedodgeR.exe. vs ppOZLEmPr2.exe
Source: ppOZLEmPr2.exeBinary or memory string: OriginalFilenamedodgeR.exe. vs ppOZLEmPr2.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal52.winEXE@2/29@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01037025 GetDiskFreeSpaceExW,10_2_01037025
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_010321A2 CoCreateInstance,10_2_010321A2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeFile created: C:\Users\user\Music\desktop.ini.dodgerJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: ppOZLEmPr2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeFile read: C:\Users\user\Music\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: ppOZLEmPr2.exevirustotal: Detection: 55%
Sample might require command line arguments (.Net)Show sources
Source: FileCoAuth.exeString found in binary or memory: /installperfcounters
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ppOZLEmPr2.exe 'C:\Users\user\Desktop\ppOZLEmPr2.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exe -Embedding
PE file contains a COM descriptor data directoryShow sources
Source: ppOZLEmPr2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: ppOZLEmPr2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: ppOZLEmPr2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: FileCoAuth.pdb source: FileCoAuth.exe, 0000000A.00000001.2084692042.0000000001046000.00000002.sdmp
Source: Binary string: FileCoAuth.pdbDD source: FileCoAuth.exe, 0000000A.00000001.2084692042.0000000001046000.00000002.sdmp
Source: Binary string: C:\Users\sveja\Desktop\dodgeR\dodgeR\obj\Debug\dodgeR.pdbjE source: ppOZLEmPr2.exe
Source: Binary string: C:\Users\sveja\Desktop\dodgeR\dodgeR\obj\Debug\dodgeR.pdb source: ppOZLEmPr2.exe

Data Obfuscation:

barindex
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xF0C19DE6 [Mon Dec 30 05:45:10 2097 UTC]
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_004D215F push eax; ret 1_2_004D2160
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_004D22E4 push eax; ret 1_2_004D22E5
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeCode function: 1_2_004D23E1 push eax; ret 1_2_004D246E
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0104313E push ecx; ret 10_2_01043151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01043265 push ecx; ret 10_2_01043278
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_0104313E push ecx; ret 10_1_01043151
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_01043265 push ecx; ret 10_1_01043278

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeAPI coverage: 4.8 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0103A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,10_2_0103A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01035DAE FindFirstFileW,10_2_01035DAE
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_0103A394 memset,FindFirstFileW,memset,PathRemoveFileSpecW,WerRegisterFile,FindNextFileW,FindClose,10_1_0103A394
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_01035DAE FindFirstFileW,10_1_01035DAE

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0103A7CF IsDebuggerPresent,OutputDebugStringW,10_2_0103A7CF
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_010432C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,10_2_010432C6
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_010432C6 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,10_1_010432C6
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: ppOZLEmPr2.exe, 00000001.00000002.2289356120.0000000001220000.00000002.sdmp, FileCoAuth.exe, 0000000A.00000002.2315408751.0000000001200000.00000002.sdmpBinary or memory string: Program Manager
Source: ppOZLEmPr2.exe, 00000001.00000002.2289356120.0000000001220000.00000002.sdmp, FileCoAuth.exe, 0000000A.00000002.2315408751.0000000001200000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: ppOZLEmPr2.exe, 00000001.00000002.2289356120.0000000001220000.00000002.sdmp, FileCoAuth.exe, 0000000A.00000002.2315408751.0000000001200000.00000002.sdmpBinary or memory string: Progman
Source: ppOZLEmPr2.exe, 00000001.00000002.2289356120.0000000001220000.00000002.sdmp, FileCoAuth.exe, 0000000A.00000002.2315408751.0000000001200000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,10_2_01037325
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: GetLocaleInfoW,10_1_01037325
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Users\user\Desktop\ppOZLEmPr2.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01043471 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_01043471
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_010369DE memset,GetUserNameW,10_2_010369DE
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_01041383 GetVersionExW,10_2_01041383
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\ppOZLEmPr2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_2_0103ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,10_2_0103ECC0
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileCoAuth.exeCode function: 10_1_0103ECC0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CreateBindCtx,10_1_0103ECC0

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 138114 Sample: ppOZLEmPr2.exe Startdate: 03/06/2019 Architecture: WINDOWS Score: 52 9 Multi AV Scanner detection for submitted file 2->9 11 Binary contains a suspicious time stamp 2->11 5 ppOZLEmPr2.exe 30 2->5         started        7 FileCoAuth.exe 4 2->7         started        process3

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
ppOZLEmPr2.exe56%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.