Loading ...

Play interactive tourEdit tour

Analysis Report Scan-Copy.exe

Overview

General Information

Sample Name:Scan-Copy.exe
Analysis ID:251154
MD5:a0c68f83eab0c7fc892546501c4b7a82
SHA1:51e71bfb9b19c00b188c6c549f6180ed1639940d
SHA256:078acd1810907a12e002129c343b0c0a73f3e62de1b6eb3020942fca6fe2aee4

Most interesting Screenshot:

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan-Copy.exe (PID: 5396 cmdline: 'C:\Users\user\Desktop\Scan-Copy.exe' MD5: A0C68F83EAB0C7FC892546501C4B7A82)
    • Scan-Copy.exe (PID: 4856 cmdline: {path} MD5: A0C68F83EAB0C7FC892546501C4B7A82)
    • Scan-Copy.exe (PID: 4064 cmdline: {path} MD5: A0C68F83EAB0C7FC892546501C4B7A82)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "bqemf", "URL: ": "http://XGdvNRF0EyWN7ck59Nd.com", "To: ": "chuk5anderson@yandex.ru", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yTPN1Z", "From: ": "chuk5anderson@yandex.ru"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Scan-Copy.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.785211171.0000000000F92000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1c76a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000003.00000002.1189557544.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.1189662730.0000000000F92000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x1c76a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000000.00000000.765759794.00000000004E2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x1c76a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000003.00000002.1193280470.000000000391A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.Scan-Copy.exe.4e0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      3.0.Scan-Copy.exe.f90000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      2.0.Scan-Copy.exe.50000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      0.2.Scan-Copy.exe.4e0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      2.2.Scan-Copy.exe.50000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x1c96a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      Click to see the 2 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Scan-Copy.exe.4064.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "bqemf", "URL: ": "http://XGdvNRF0EyWN7ck59Nd.com", "To: ": "chuk5anderson@yandex.ru", "ByHost: ": "smtp.yandex.com:587", "Password: ": "yTPN1Z", "From: ": "chuk5anderson@yandex.ru"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Scan-Copy.exeVirustotal: Detection: 24%Perma Link
      Source: Scan-Copy.exeReversingLabs: Detection: 18%
      Source: 3.2.Scan-Copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 77.88.21.158:587
      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 77.88.21.158:587
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0156A09A recv,3_2_0156A09A
      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
      Source: Scan-Copy.exe, 00000003.00000002.1193945024.0000000003AD8000.00000004.00000001.sdmp, Scan-Copy.exe, 00000003.00000002.1193992615.0000000003AEF000.00000004.00000001.sdmpString found in binary or memory: http://XGdvNRF0EyWN7ck59Nd.com
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Scan-Copy.exe, 00000000.00000003.777902971.0000000004F64000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: Scan-Copy.exe, 00000000.00000003.774531205.0000000004F45000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: Scan-Copy.exe, 00000000.00000003.774918028.0000000004F45000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comer
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://www.certum.pl/CPS0
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Scan-Copy.exe, 00000000.00000003.770877197.0000000004F68000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Scan-Copy.exe, 00000000.00000003.771369659.0000000004F45000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: Scan-Copy.exe, 00000000.00000003.771358246.0000000004F40000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/I
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmp, Scan-Copy.exe, 00000000.00000003.767991520.0000000004F65000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Scan-Copy.exe, 00000000.00000003.778192591.0000000004F64000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
      Source: Scan-Copy.exe, 00000000.00000003.778117355.0000000004F64000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comP
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Scan-Copy.exe, 00000000.00000002.794048535.0000000006232000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpString found in binary or memory: https://www.certum.pl/CPS0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_060A0472 NtQuerySystemInformation,3_2_060A0472
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_060A0441 NtQuerySystemInformation,3_2_060A0441
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E20500_2_004E2050
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E92B10_2_004E92B1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_02764B600_2_02764B60
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027626300_2_02762630
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_02762EF80_2_02762EF8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027641300_2_02764130
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027641D80_2_027641D8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027634C00_2_027634C0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_02762F9A0_2_02762F9A
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027601980_2_02760198
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_027601870_2_02760187
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_000592B12_2_000592B1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_000520502_2_00052050
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F920503_2_00F92050
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F992B13_2_00F992B1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_033107013_2_03310701
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596E3583_2_0596E358
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_059600063_2_05960006
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596E1003_2_0596E100
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596E8B03_2_0596E8B0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596EBD53_2_0596EBD5
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596DD003_2_0596DD00
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596E8A73_2_0596E8A7
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596E0EA3_2_0596E0EA
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0596EB683_2_0596EB68
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064076103_2_06407610
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064012183_2_06401218
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640EE273_2_0640EE27
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640A6303_2_0640A630
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640A2D03_2_0640A2D0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640AEEE3_2_0640AEEE
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640EB103_2_0640EB10
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640B72B3_2_0640B72B
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064093303_2_06409330
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064043D03_2_064043D0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064000703_2_06400070
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06402C743_2_06402C74
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06407C003_2_06407C00
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06408C303_2_06408C30
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640B0383_2_0640B038
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06402CEE3_2_06402CEE
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640D5D83_2_0640D5D8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640A9E83_2_0640A9E8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640BDF83_2_0640BDF8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640A6273_2_0640A627
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06403AC03_2_06403AC0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640A2C03_2_0640A2C0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640529B3_2_0640529B
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640EB003_2_0640EB00
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064093203_2_06409320
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640CFC83_2_0640CFC8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064047CF3_2_064047CF
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06407BF03_2_06407BF0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640478F3_2_0640478F
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064043BF3_2_064043BF
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06408C213_2_06408C21
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640B0283_2_0640B028
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640454F3_2_0640454F
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640B1093_2_0640B109
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064001293_2_06400129
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640D5C93_2_0640D5C9
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064075E13_2_064075E1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640BDE83_2_0640BDE8
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640DDA43_2_0640DDA4
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06443E243_2_06443E24
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0644F0603_2_0644F060
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064404903_2_06440490
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064444B03_2_064444B0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06443D603_2_06443D60
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064432073_2_06443207
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06442A363_2_06442A36
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06442AD23_2_06442AD2
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064444A13_2_064444A1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064404903_2_06440490
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0644299A3_2_0644299A
      Source: Scan-Copy.exeBinary or memory string: OriginalFilename vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000000.00000002.789447787.0000000002C52000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000000.00000002.789447787.0000000002C52000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000000.00000002.789377134.0000000002C31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekINJThbbOSnapfWysXWRqeBEYYOZyAD.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000000.00000000.765759794.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNnPoL.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000000.00000002.795538911.0000000007F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan-Copy.exe
      Source: Scan-Copy.exeBinary or memory string: OriginalFilename vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000002.00000002.783819620.0000000000052000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNnPoL.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exeBinary or memory string: OriginalFilename vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000000.785211171.0000000000F92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNnPoL.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000002.1194869264.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000002.1191856922.0000000003500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000002.1189557544.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamekINJThbbOSnapfWysXWRqeBEYYOZyAD.exe4 vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000002.1190709055.000000000167A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Scan-Copy.exe
      Source: Scan-Copy.exe, 00000003.00000002.1195784368.0000000006450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan-Copy.exe
      Source: Scan-Copy.exeBinary or memory string: OriginalFilenameNnPoL.exe4 vs Scan-Copy.exe
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: security.dllJump to behavior
      Source: Scan-Copy.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000000.785211171.0000000000F92000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000002.1189662730.0000000000F92000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.765759794.00000000004E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000002.00000002.783819620.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000002.00000000.783544831.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.786769239.00000000004E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: Scan-Copy.exe PID: 4064, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: Scan-Copy.exe PID: 4856, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: Scan-Copy.exe PID: 5396, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.Scan-Copy.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.0.Scan-Copy.exe.f90000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 2.0.Scan-Copy.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.Scan-Copy.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 2.2.Scan-Copy.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.2.Scan-Copy.exe.f90000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Scan-Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@5/1@1/1
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_04EE0BFE AdjustTokenPrivileges,0_2_04EE0BFE
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_04EE0BC7 AdjustTokenPrivileges,0_2_04EE0BC7
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_060A02F6 AdjustTokenPrivileges,3_2_060A02F6
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_060A02BF AdjustTokenPrivileges,3_2_060A02BF
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan-Copy.exe.logJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: Scan-Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Scan-Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Scan-Copy.exeVirustotal: Detection: 24%
      Source: Scan-Copy.exeReversingLabs: Detection: 18%
      Source: Scan-Copy.exeString found in binary or memory: /Addv
      Source: unknownProcess created: C:\Users\user\Desktop\Scan-Copy.exe 'C:\Users\user\Desktop\Scan-Copy.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: Scan-Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\Scan-Copy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Scan-Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Scan-Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: ..pdB source: Scan-Copy.exe, 00000000.00000002.789377134.0000000002C31000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: Scan-Copy.exe, 00000000.00000002.795538911.0000000007F80000.00000002.00000001.sdmp, Scan-Copy.exe, 00000003.00000002.1195784368.0000000006450000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xEBAA193F [Sat Apr 16 11:55:43 2095 UTC]
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E27C3 push eax; ret 0_2_004E27C4
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E9BE1 push es; ret 0_2_004E9E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E9DF6 push es; ret 0_2_004E9E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E9BF0 push es; ret 0_2_004E9E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E2818 push eax; ret 0_2_004E2819
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 0_2_004E9B12 push es; ret 0_2_004E9E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_00059B12 push es; ret 2_2_00059E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_00052818 push eax; ret 2_2_00052819
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_000527C3 push eax; ret 2_2_000527C4
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_00059BE1 push es; ret 2_2_00059E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_00059DF6 push es; ret 2_2_00059E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 2_2_00059BF0 push es; ret 2_2_00059E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F99BF0 push es; ret 3_2_00F99E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F99DF6 push es; ret 3_2_00F99E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F99BE1 push es; ret 3_2_00F99E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F927C3 push eax; ret 3_2_00F927C4
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F92818 push eax; ret 3_2_00F92819
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_00F99B12 push es; ret 3_2_00F99E84
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640F6CE push 00000069h; ret 3_2_0640F6D5
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06408C01 push es; ret 3_2_06408C10
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0640F4B5 push 00000069h; ret 3_2_0640F4B9
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06401141 push es; retf 3_2_064011F0
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06406118 push ebx; ret 3_2_0640611F
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_0644125A push 8BFFFFFBh; retf 3_2_06441260
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_064411A3 push esp; iretd 3_2_064411A9
      Source: initial sampleStatic PE information: section name: .text entropy: 7.82330111337
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\Scan-Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
      Source: C:\Users\user\Desktop\Scan-Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exe TID: 5368Thread sleep time: -38000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exe TID: 5320Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exe TID: 3572Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exe TID: 5092Thread sleep count: 112 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exe TID: 5092Thread sleep time: -56000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Scan-Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\Scan-Copy.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Scan-Copy.exeLast function: Thread delayed
      Source: Scan-Copy.exe, 00000003.00000002.1194869264.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Scan-Copy.exe, 00000003.00000002.1194869264.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Scan-Copy.exe, 00000003.00000002.1194869264.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Scan-Copy.exe, 00000003.00000002.1191055694.0000000001736000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Scan-Copy.exe, 00000003.00000002.1194869264.0000000005CC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeCode function: 3_2_06408920 LdrInitializeThunk,3_2_06408920
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Scan-Copy.exeMemory written: C:\Users\user\Desktop\Scan-Copy.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeProcess created: C:\Users\user\Desktop\Scan-Copy.exe {path}Jump to behavior
      Source: Scan-Copy.exe, 00000003.00000002.1191377356.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Scan-Copy.exe, 00000003.00000002.1191377356.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Scan-Copy.exe, 00000003.00000002.1191377356.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Scan-Copy.exe, 00000003.00000002.1191377356.0000000001E00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Scan-Copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump