Loading ...

Play interactive tourEdit tour

Analysis Report Scanned doc.exe

Overview

General Information

Sample Name:Scanned doc.exe
Analysis ID:255458
MD5:70cf26be4ca82d7a3e0c7092d02d0520
SHA1:33701ba7b7ecec46decec6095dd47eb455f540d6
SHA256:a7af597188e3940ae7010e605d11e10b33f48632d2fec2c061c0c46d75c531b1

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Scanned doc.exe (PID: 2944 cmdline: 'C:\Users\user\Desktop\Scanned doc.exe' MD5: 70CF26BE4CA82D7A3E0C7092D02D0520)
    • schtasks.exe (PID: 6392 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Scanned doc.exe (PID: 6360 cmdline: {path} MD5: 70CF26BE4CA82D7A3E0C7092D02D0520)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "RSQoyhdsh", "URL: ": "https://WHVCZuV1hk05jZ.net", "To: ": "goksal.sir@prosoftelektrik.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "dIZgI1TjqfyK", "From: ": "goksal.sir@prosoftelektrik.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Scanned doc.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.494875903.0000000002B0E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.494875903.0000000002B0E000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.250558713.0000000000872000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x153b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      00000003.00000002.490974147.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000000.222111771.0000000000872000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x153b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.Scanned doc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.0.Scanned doc.exe.870000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          0.2.Scanned doc.exe.870000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          3.0.Scanned doc.exe.670000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
          3.2.Scanned doc.exe.670000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
          • 0x155b5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Scanned doc.exe' , ParentImage: C:\Users\user\Desktop\Scanned doc.exe, ParentProcessId: 2944, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp', ProcessId: 6392

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: Scanned doc.exe.6360.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "RSQoyhdsh", "URL: ": "https://WHVCZuV1hk05jZ.net", "To: ": "goksal.sir@prosoftelektrik.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "dIZgI1TjqfyK", "From: ": "goksal.sir@prosoftelektrik.com"}
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Scanned doc.exeJoe Sandbox ML: detected
          Source: global trafficTCP traffic: 192.168.2.7:49741 -> 208.91.199.223:587
          Source: global trafficTCP traffic: 192.168.2.7:49741 -> 208.91.199.223:587
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: Scanned doc.exe, 00000003.00000002.495609255.0000000002C3A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Scanned doc.exe, 00000003.00000002.495609255.0000000002C3A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
          Source: Scanned doc.exe, 00000000.00000002.263763620.0000000008EC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Scanned doc.exe, 00000003.00000002.495529111.0000000002C2E000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Scanned doc.exe, 00000000.00000003.228587127.0000000005B22000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: Scanned doc.exe, 00000000.00000003.226329794.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comego
          Source: Scanned doc.exe, 00000000.00000003.226576479.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comicr
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsof
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsoft
          Source: Scanned doc.exe, 00000000.00000003.226543205.0000000005B21000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Scanned doc.exe, 00000000.00000002.251330692.0000000001287000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: Scanned doc.exe, 00000000.00000002.251330692.0000000001287000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Scanned doc.exe, 00000000.00000002.259260030.0000000005BE0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Scanned doc.exe, 00000000.00000003.227662226.0000000005B22000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Scanned doc.exe, 00000003.00000002.494875903.0000000002B0E000.00000004.00000001.sdmp, Scanned doc.exe, 00000003.00000002.495796690.0000000002C60000.00000004.00000001.sdmpString found in binary or memory: https://WHVCZuV1hk05jZ.net
          Source: Scanned doc.exe, 00000003.00000002.494875903.0000000002B0E000.00000004.00000001.sdmpString found in binary or memory: https://WHVCZuV1hk05jZ.netT
          Source: Scanned doc.exe, 00000003.00000002.495609255.0000000002C3A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\Desktop\Scanned doc.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scanned doc.exeJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_008722DB0_2_008722DB
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_02B3C9E40_2_02B3C9E4
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_02B3EDB00_2_02B3EDB0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_02B3EDA00_2_02B3EDA0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07682D780_2_07682D78
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768CD180_2_0768CD18
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07689CC00_2_07689CC0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768FB400_2_0768FB40
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076833180_2_07683318
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768BB980_2_0768BB98
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076842400_2_07684240
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076821280_2_07682128
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076869900_2_07686990
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076800400_2_07680040
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076828C80_2_076828C8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768D7680_2_0768D768
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768BFC00_2_0768BFC0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076867A00_2_076867A0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076867B00_2_076867B0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07685F800_2_07685F80
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07685F900_2_07685F90
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07689F900_2_07689F90
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07682D680_2_07682D68
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076865200_2_07686520
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076815070_2_07681507
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076815180_2_07681518
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768651A0_2_0768651A
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768A5B80_2_0768A5B8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07685C600_2_07685C60
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07685C700_2_07685C70
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076874E00_2_076874E0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076874DC0_2_076874DC
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076833090_2_07683309
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076863000_2_07686300
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_0768D2380_2_0768D238
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076862F20_2_076862F2
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076841400_2_07684140
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076851000_2_07685100
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076851100_2_07685110
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_006722DB3_2_006722DB
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_00F0FB303_2_00F0FB30
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_00F0FB2E3_2_00F0FB2E
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B00403_2_010B0040
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B84683_2_010B8468
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B2F603_2_010B2F60
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B1D643_2_010B1D64
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B81983_2_010B8198
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B00063_2_010B0006
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B845B3_2_010B845B
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B2F523_2_010B2F52
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B79483_2_010B7948
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B79BC3_2_010B79BC
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B1D583_2_010B1D58
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_010B3C503_2_010B3C50
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7BE703_2_05C7BE70
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7E1D83_2_05C7E1D8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C799303_2_05C79930
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7F0F93_2_05C7F0F9
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7A2203_2_05C7A220
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7358A3_2_05C7358A
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7352A3_2_05C7352A
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C79CA83_2_05C79CA8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C724283_2_05C72428
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C724383_2_05C72438
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C76F013_2_05C76F01
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C76F103_2_05C76F10
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7D6C03_2_05C7D6C0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7C6F83_2_05C7C6F8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C73E803_2_05C73E80
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C73E903_2_05C73E90
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7BE603_2_05C7BE60
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7F6213_2_05C7F621
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C731C03_2_05C731C0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7E1C83_2_05C7E1C8
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C731B23_2_05C731B2
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7011B3_2_05C7011B
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C700403_2_05C70040
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C728583_2_05C72858
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7E8603_2_05C7E860
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C728683_2_05C72868
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C78B783_2_05C78B78
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C732CA3_2_05C732CA
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7329A3_2_05C7329A
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C732B73_2_05C732B7
          Source: Scanned doc.exeBinary or memory string: OriginalFilename vs Scanned doc.exe
          Source: Scanned doc.exe, 00000000.00000002.251624136.0000000002C01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Scanned doc.exe
          Source: Scanned doc.exe, 00000000.00000002.262523679.00000000075E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs Scanned doc.exe
          Source: Scanned doc.exe, 00000000.00000002.265355670.000000000A5F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scanned doc.exe
          Source: Scanned doc.exe, 00000000.00000002.251851709.0000000003CBE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePemfDPnqwxdJltRvpbbdxUqOnXMeA.exe4 vs Scanned doc.exe
          Source: Scanned doc.exeBinary or memory string: OriginalFilename vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.498841321.0000000005B20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.499296762.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.491472551.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePemfDPnqwxdJltRvpbbdxUqOnXMeA.exe4 vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.499209143.0000000005FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.491919996.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.499245728.0000000005FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Scanned doc.exe
          Source: Scanned doc.exe, 00000003.00000002.498436833.0000000004FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Scanned doc.exe
          Source: Scanned doc.exeBinary or memory string: OriginalFilenameBumPm.exe< vs Scanned doc.exe
          Source: Scanned doc.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000002.250558713.0000000000872000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000000.222111771.0000000000872000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000003.00000000.249425717.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000003.00000002.491501391.0000000000672000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: Scanned doc.exe PID: 2944, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: Scanned doc.exe PID: 6360, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.0.Scanned doc.exe.870000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0.2.Scanned doc.exe.870000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 3.0.Scanned doc.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 3.2.Scanned doc.exe.670000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Scanned doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@3/1
          Source: C:\Users\user\Desktop\Scanned doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scanned doc.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
          Source: C:\Users\user\Desktop\Scanned doc.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
          Source: Scanned doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Scanned doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\Scanned doc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeFile read: C:\Users\user\Desktop\Scanned doc.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Scanned doc.exe 'C:\Users\user\Desktop\Scanned doc.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\Scanned doc.exe {path}
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess created: C:\Users\user\Desktop\Scanned doc.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Scanned doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Scanned doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_00877BD3 push es; ret 0_2_008780A0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_07680C7B push ss; iretd 0_2_07680CEE
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_00677BD3 push es; ret 3_2_006780A0
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C78906 push F00613D0h; iretd 3_2_05C78905
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C77700 push 8BBC75FFh; iretd 3_2_05C77715
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7A675 push ds; ret 3_2_05C7A676
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C7518B push ecx; ret 3_2_05C7518C
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C78900 push F00613D0h; iretd 3_2_05C78905
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C72035 push ds; ret 3_2_05C72036
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 3_2_05C72BE1 push ds; ret 3_2_05C72BE2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85134154122
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85134154122
          Source: C:\Users\user\Desktop\Scanned doc.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp'
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: Scanned doc.exe PID: 2944, type: MEMORY
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\Scanned doc.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeWindow / User API: threadDelayed 751Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 380Thread sleep time: -41000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 3192Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 3792Thread sleep count: 241 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 5096Thread sleep count: 751 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -89718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -59594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -59312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -88359s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -58718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -87750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -58218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -86718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -86391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -57406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -56906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -56718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -84750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -84468s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -56094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -55594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -54906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -54718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -53812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -53594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -52718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -52500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -51718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -50312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -50094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -49000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -47906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -47718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -46812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -46594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -45718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -41218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -40312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -39594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -39406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -39218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -39000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -38718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -38500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -38312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -38094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -37906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -37406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -37218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -37000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -36812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -36594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -36312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -36094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -35906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -35718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -35500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -35218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -34812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -34594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -34406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -34218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -33906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -33718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -33500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -33312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -33094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -32812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -32594s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -32406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -32218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -31718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -31312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -31094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30406s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exe TID: 6388Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\Scanned doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Scanned doc.exeLast function: Thread delayed
          Source: Scanned doc.exe, 00000003.00000002.498841321.0000000005B20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Scanned doc.exe, 00000003.00000002.498841321.0000000005B20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Scanned doc.exe, 00000003.00000002.498841321.0000000005B20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Scanned doc.exe, 00000000.00000003.244639690.0000000009604000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Scanned doc.exe, 00000003.00000002.499716455.0000000006140000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Scanned doc.exe, 00000003.00000002.498841321.0000000005B20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\Desktop\Scanned doc.exeCode function: 0_2_076812D8 CheckRemoteDebuggerPresent,0_2_076812D8
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Scanned doc.exeMemory written: C:\Users\user\Desktop\Scanned doc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp63AF.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeProcess created: C:\Users\user\Desktop\Scanned doc.exe {path}Jump to behavior
          Source: Scanned doc.exe, 00000003.00000002.493889292.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: Scanned doc.exe, 00000003.00000002.493889292.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Scanned doc.exe, 00000003.00000002.493889292.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: Scanned doc.exe, 00000003.00000002.493889292.0000000001460000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Users\user\Desktop\Scanned doc.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Scanned doc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJ