Loading ...

Play interactive tourEdit tour

Analysis Report EMDF.exe

Overview

General Information

Sample Name:EMDF.exe
Analysis ID:289567
MD5:c35d5adaf06949a00d9b2f306c8eb516
SHA1:f7bbebc6e1da2182fa36ab3bac4041efacb86554
SHA256:92c29471d946a8b0c7b9ae00e2e30f735f93d60b02ded1fd3c37adc803a9cdf2
Tags:agenttesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • EMDF.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\EMDF.exe' MD5: C35D5ADAF06949A00D9B2F306C8EB516)
    • EMDF.exe (PID: 5664 cmdline: 'C:\Users\user\Desktop\EMDF.exe' MD5: C35D5ADAF06949A00D9B2F306C8EB516)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "C9ex5TcySJ", "URL: ": "http://0qZtwJJAsXrA.net", "To: ": "emmydon@flood-protection.org", "ByHost: ": "mail.flood-protection.org:587", "Password: ": "oM3GkP4Pu", "From: ": "emmydon@flood-protection.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.630831011.0000000000A12000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.369760678.0000000004362000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.632276707.0000000002964000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.632276707.0000000002964000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.630108745.0000000000469000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.EMDF.exe.9b0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.EMDF.exe.9b0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.EMDF.exe.2220000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.EMDF.exe.4320000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.EMDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: EMDF.exeAvira: detected
                      Found malware configurationShow sources
                      Source: EMDF.exe.5664.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "C9ex5TcySJ", "URL: ": "http://0qZtwJJAsXrA.net", "To: ": "emmydon@flood-protection.org", "ByHost: ": "mail.flood-protection.org:587", "Password: ": "oM3GkP4Pu", "From: ": "emmydon@flood-protection.org"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: flood-protection.orgVirustotal: Detection: 10%Perma Link
                      Source: mail.flood-protection.orgVirustotal: Detection: 11%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: EMDF.exeVirustotal: Detection: 46%Perma Link
                      Source: EMDF.exeReversingLabs: Detection: 86%
                      Machine Learning detection for sampleShow sources
                      Source: EMDF.exeJoe Sandbox ML: detected
                      Source: 1.2.EMDF.exe.2220000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.EMDF.exe.4320000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00408A68 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408A68
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00405AE4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE4
                      Source: global trafficTCP traffic: 192.168.2.3:49738 -> 85.187.154.178:587
                      Source: Joe Sandbox ViewIP Address: 85.187.154.178 85.187.154.178
                      Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
                      Source: global trafficTCP traffic: 192.168.2.3:49738 -> 85.187.154.178:587
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_022BA186 recv,1_2_022BA186
                      Source: unknownDNS traffic detected: queries for: mail.flood-protection.org
                      Source: EMDF.exe, 00000001.00000002.634112759.0000000002AF4000.00000004.00000001.sdmp, EMDF.exe, 00000001.00000002.634137639.0000000002AFE000.00000004.00000001.sdmpString found in binary or memory: http://0qZtwJJAsXrA.net
                      Source: EMDF.exe, 00000001.00000002.632276707.0000000002964000.00000004.00000001.sdmpString found in binary or memory: http://0qZtwJJAsXrA.netd)
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0042590C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042590C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043A74C GetKeyboardState,0_2_0043A74C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004584E0 NtdllDefWindowProc_A,0_2_004584E0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043D684 NtdllDefWindowProc_A,GetCapture,0_2_0043D684
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00458C5C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00458C5C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00458D0C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00458D0C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00431024 NtdllDefWindowProc_A,0_2_00431024
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0044D0B0 GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044D0B0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_00462159 NtCreateSection,1_2_00462159
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_022BB362 NtQuerySystemInformation,1_2_022BB362
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_022BB331 NtQuerySystemInformation,1_2_022BB331
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00452BB40_2_00452BB4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0044D0B00_2_0044D0B0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0046D3800_2_0046D380
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00473AA80_2_00473AA8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0045B9761_2_0045B976
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0046113D1_2_0046113D
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C600C11_2_04C600C1
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C788EF1_2_04C788EF
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C728881_2_04C72888
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7C2901_2_04C7C290
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7BCA01_2_04C7BCA0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C730481_2_04C73048
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C742701_2_04C74270
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C78E281_2_04C78E28
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7D3C01_2_04C7D3C0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7B7A81_2_04C7B7A8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7F5BF1_2_04C7F5BF
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C747BA1_2_04C747BA
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7EB591_2_04C7EB59
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7C71F1_2_04C7C71F
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7E1301_2_04C7E130
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C790801_2_04C79080
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7C2801_2_04C7C280
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7B8B61_2_04C7B8B6
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C747BA1_2_04C747BA
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C734551_2_04C73455
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C76A541_2_04C76A54
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C742601_2_04C74260
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C728791_2_04C72879
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7A0181_2_04C7A018
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C75E3F1_2_04C75E3F
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C730381_2_04C73038
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C759D41_2_04C759D4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C767D81_2_04C767D8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C789E41_2_04C789E4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C733E11_2_04C733E1
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7A1961_2_04C7A196
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7D3B11_2_04C7D3B1
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C779491_2_04C77949
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7D76F1_2_04C7D76F
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7E3771_2_04C7E377
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_04C7E1201_2_04C7E120
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05648D381_2_05648D38
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05649D181_2_05649D18
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056419A01_2_056419A0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056495A81_2_056495A8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564D1801_2_0564D180
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056449881_2_05644988
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056485901_2_05648590
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056400701_2_05640070
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056468701_2_05646870
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564A0491_2_0564A049
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05645C281_2_05645C28
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056454F01_2_056454F0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564735A1_2_0564735A
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564CBB01_2_0564CBB0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05642A301_2_05642A30
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056419731_2_05641973
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056449781_2_05644978
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056451511_2_05645151
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05648D291_2_05648D29
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05649D091_2_05649D09
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05648DB81_2_05648DB8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056485801_2_05648580
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056495981_2_05649598
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056468601_2_05646860
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564642B1_2_0564642B
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056400061_2_05640006
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564040D1_2_0564040D
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05645C181_2_05645C18
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05643CC01_2_05643CC0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05643CD01_2_05643CD0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564CF561_2_0564CF56
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564CBA01_2_0564CBA0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05641B911_2_05641B91
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05641A7F1_2_05641A7F
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05642A201_2_05642A20
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_056406281_2_05640628
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564620F1_2_0564620F
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564CEF51_2_0564CEF5
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_05644EFF1_2_05644EFF
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_0564D2801_2_0564D280
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_1_004BA1E71_1_004BA1E7
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: String function: 004069AC appears 59 times
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: String function: 00404344 appears 78 times
                      Source: EMDF.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: EMDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: EMDF.exe, 00000000.00000002.369979034.00000000043B6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYguaTTodsgTGqDpaeWVxJnY.exe4 vs EMDF.exe
                      Source: EMDF.exe, 00000000.00000002.366961676.0000000002290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs EMDF.exe
                      Source: EMDF.exeBinary or memory string: OriginalFilename vs EMDF.exe
                      Source: EMDF.exe, 00000001.00000002.630885452.0000000000A66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYguaTTodsgTGqDpaeWVxJnY.exe4 vs EMDF.exe
                      Source: EMDF.exe, 00000001.00000002.635052892.00000000056D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs EMDF.exe
                      Source: EMDF.exe, 00000001.00000002.634745108.0000000005080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs EMDF.exe
                      Source: EMDF.exe, 00000001.00000002.634755528.0000000005090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs EMDF.exe
                      Source: EMDF.exe, 00000001.00000002.634985706.00000000055E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs EMDF.exe
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00422A24 GetLastError,FormatMessageA,0_2_00422A24
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_022BB1E6 AdjustTokenPrivileges,1_2_022BB1E6
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 1_2_022BB1AF AdjustTokenPrivileges,1_2_022BB1AF
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00408BE0 GetDiskFreeSpaceA,0_2_00408BE0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004158C4 FindResourceA,0_2_004158C4
                      Source: C:\Users\user\Desktop\EMDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\EMDF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\EMDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: EMDF.exeVirustotal: Detection: 46%
                      Source: EMDF.exeReversingLabs: Detection: 86%
                      Source: unknownProcess created: C:\Users\user\Desktop\EMDF.exe 'C:\Users\user\Desktop\EMDF.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\EMDF.exe 'C:\Users\user\Desktop\EMDF.exe'
                      Source: C:\Users\user\Desktop\EMDF.exeProcess created: C:\Users\user\Desktop\EMDF.exe 'C:\Users\user\Desktop\EMDF.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\EMDF.exeUnpacked PE file: 1.2.EMDF.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\EMDF.exeUnpacked PE file: 1.2.EMDF.exe.2220000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\EMDF.exeUnpacked PE file: 1.2.EMDF.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045B630 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045B630
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00444A8C push 00444B19h; ret 0_2_00444B11
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00412070 push 0041219Ch; ret 0_2_00412194
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004600B4 push 004600E0h; ret 0_2_004600D8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00412170 push 0041219Ch; ret 0_2_00412194
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004661A4 push 004661CAh; ret 0_2_004661C2
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00466208 push 00466234h; ret 0_2_0046622C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045E2C0 push 0045E2ECh; ret 0_2_0045E2E4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00460298 push 004602C4h; ret 0_2_004602BC
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043A4EC push ecx; mov dword ptr [esp], ecx0_2_0043A4F0
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045E4F4 push 0045E520h; ret 0_2_0045E518
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00460554 push 00460580h; ret 0_2_00460578
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004065CE push 00406621h; ret 0_2_00406619
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004065D0 push 00406621h; ret 0_2_00406619
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0041C664 push ecx; mov dword ptr [esp], edx0_2_0041C666
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045A62C push 0045A686h; ret 0_2_0045A67E
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004646D0 push 0046471Ch; ret 0_2_00464714
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00464684 push 004646B0h; ret 0_2_004646A8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00464728 push 00464754h; ret 0_2_0046474C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004067A0 push 004067CCh; ret 0_2_004067C4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0040685C push 00406888h; ret 0_2_00406880
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_004148CC push ecx; mov dword ptr [esp], eax0_2_004148CD
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0041E93C push ecx; mov dword ptr [esp], edx0_2_0041E941
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00428A4C push 00428B1Ch; ret 0_2_00428B14
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045AA60 push 0045AA8Ch; ret 0_2_0045AA84
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00444A24 push 00444A8Ah; ret 0_2_00444A82
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045AAB0 push 0045AAF3h; ret 0_2_0045AAEB
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045AB18 push 0045AB5Bh; ret 0_2_0045AB53
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00414B30 push ecx; mov dword ptr [esp], edx0_2_00414B35
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00428C2C push 00428C58h; ret 0_2_00428C50
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00418CB8 push ecx; mov dword ptr [esp], edx0_2_00418CBA
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045AD40 push 0045AD6Ch; ret 0_2_0045AD64
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00458568 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00458568
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00458C5C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00458C5C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043ED58 IsIconic,GetCapture,0_2_0043ED58
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00458D0C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00458D0C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045565C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0045565C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043F600 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043F600
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00429A5C IsIconic,GetWindowPlacement,GetWindowRect,0_2_00429A5C
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0043FEE4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043FEE4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_0045B630 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045B630
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00433C100_2_00433C10
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00457B3C
                      Source: C:\Users\user\Desktop\EMDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00433C100_2_00433C10
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -58000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -56000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -54500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -78750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -52000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -51000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -49000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -71250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -47000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -68250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -66000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -43500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -42000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -40500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -39094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -38500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -37594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -37000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -36500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -35000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -33500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -33000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -31500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -35250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -59812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -59626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -59406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -88359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -58720s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -87750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -57812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -57626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -86109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -57000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -56720s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -56500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -55906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -55626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -55406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -54312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -53906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -53220s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -53000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -51626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -50312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -50000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -46812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -46406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -45312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -45126s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -44406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -44220s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -43312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -43126s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -42906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -39812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -38906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -32626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -32406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -31126s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -30812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -30626s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -49500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -48406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -46000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -44906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -41906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -41688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -41188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -39282s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -38594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -36688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -34000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -33782s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -33094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -32906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exe TID: 6712Thread sleep time: -32000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\EMDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\EMDF.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00479AA8 GetSystemTime followed by cmp: cmp word ptr [esp+08h], 07dfh and CTI: jnc 00479ACCh0_2_00479AA8
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00408A68 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408A68
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00405AE4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE4
                      Source: C:\Users\user\Desktop\EMDF.exeCode function: 0_2_00422FB4 GetSystemInfo,0_2_00422FB4
                      Source: EMDF.exe, 00000001.00000002.634755528.0000000005090000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: EMDF.exe, 00000001.00000002.634755528.0000000005090000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: EMDF.exe, 00000001.00000002.634755528.0000000005090000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: EMDF.exe, 00000001.00000002.634755528.0000000005090000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\EMDF.exeProcess information queried: ProcessInformationJump to behavior