Analysis Report Scan copy.exe

Overview

General Information

Sample Name: Scan copy.exe
Analysis ID: 433218
MD5: 502390a59aad886fa91210a1b89c89b5
SHA1: b5ccfd3c93f4625bb46ddfb6bd314c7533653368
SHA256: 661bb6d9fd6302e1c06c8d3d6182720259df9ce73b5251127c21eb4883ebcf7f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "maksat@atlmexco.comMa1301smtp.atlmexco.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\emmrGOU.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: Scan copy.exe ReversingLabs: Detection: 17%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\emmrGOU.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Scan copy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.Scan copy.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Scan copy.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Scan copy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Scan copy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb source: Scan copy.exe
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb8 source: Scan copy.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0727DB00
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0727EBD8

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49744 -> 93.89.24.35:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 93.89.24.35:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 93.89.24.35:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BKVG-ASDE BKVG-ASDE
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 93.89.24.35:587
Source: unknown DNS traffic detected: queries for: smtp.atlmexco.com
Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.474880893.00000000032F9000.00000004.00000001.sdmp String found in binary or memory: http://aJWYmLGLhn6n2.org
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Scan copy.exe, 00000000.00000002.226113577.0000000002BD1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Scan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmp String found in binary or memory: http://smtp.atlmexco.com
Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://uZoqoU.com
Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Scan copy.exe, 00000000.00000003.208021704.0000000005CB6000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmll
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Scan copy.exe, 00000000.00000003.208701839.0000000005CAE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Scan copy.exe, 00000000.00000003.209057239.0000000005C89000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html2U
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic$
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsd
Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comascC
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comionmy
Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: Scan copy.exe, 00000000.00000003.202582104.0000000005C8B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Scan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000003.204749021.0000000005C77000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Scan copy.exe, 00000000.00000003.204992463.0000000005C78000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Scan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnQ
Source: Scan copy.exe, 00000000.00000003.204490000.0000000005C7E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnn
Source: Scan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Scan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmTP
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/J
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/het
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/hetJ
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/siv
Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/uea$
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vaoC
Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: Scan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Scan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comr-t
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp, Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com(.
Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comx
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Scan copy.exe, 00000000.00000003.203905958.0000000005C8B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com%Q
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Scan copy.exe, 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011C05C8 SetWindowsHookExW 0000000D,00000000,?,? 7_2_011C05C8
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Scan copy.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scan copy.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Scan copy.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 7.2.Scan copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE75C8CE5u002d1AF8u002d4CE0u002d84ABu002d1AA9008845DAu007d/u0034688D7C8u002d0AC5u002d4F49u002d92F7u002d0AB75E92AF93.cs Large array initialization: .cctor: array initializer size 11926
Source: 7.0.Scan copy.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE75C8CE5u002d1AF8u002d4CE0u002d84ABu002d1AA9008845DAu007d/u0034688D7C8u002d0AC5u002d4F49u002d92F7u002d0AB75E92AF93.cs Large array initialization: .cctor: array initializer size 11926
Detected potential crypto function
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07278F50 0_2_07278F50
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07279580 0_2_07279580
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_0727CC40 0_2_0727CC40
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07278480 0_2_07278480
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07278808 0_2_07278808
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07278F40 0_2_07278F40
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072787FA 0_2_072787FA
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07279570 0_2_07279570
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07278472 0_2_07278472
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07275CE0 0_2_07275CE0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07275CD2 0_2_07275CD2
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_0727A3B0 0_2_0727A3B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_0727E3B8 0_2_0727E3B8
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_0727A39F 0_2_0727A39F
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07274928 0_2_07274928
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07274919 0_2_07274919
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07274148 0_2_07274148
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07274158 0_2_07274158
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072731C0 0_2_072731C0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07270039 0_2_07270039
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07270040 0_2_07270040
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072738A0 0_2_072738A0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_07273889 0_2_07273889
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE7A60 0_2_08BE7A60
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEAC78 0_2_08BEAC78
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BECD40 0_2_08BECD40
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEBE58 0_2_08BEBE58
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEB4B0 0_2_08BEB4B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEE840 0_2_08BEE840
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEB939 0_2_08BEB939
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEB948 0_2_08BEB948
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE7A51 0_2_08BE7A51
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEABE0 0_2_08BEABE0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEEB30 0_2_08BEEB30
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEDC80 0_2_08BEDC80
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEEED8 0_2_08BEEED8
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEBE4A 0_2_08BEBE4A
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEF0F8 0_2_08BEF0F8
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEA0F0 0_2_08BEA0F0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEA0E1 0_2_08BEA0E1
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE0039 0_2_08BE0039
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE0040 0_2_08BE0040
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEF358 0_2_08BEF358
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE74B0 0_2_08BE74B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BEB4A2 0_2_08BEB4A2
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_08BE74A0 0_2_08BE74A0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011CD138 7_2_011CD138
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011CA1B0 7_2_011CA1B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011CCF48 7_2_011CCF48
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011CBBE4 7_2_011CBBE4
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_011C0C80 7_2_011C0C80
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_014946A0 7_2_014946A0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_014945B0 7_2_014945B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_01494630 7_2_01494630
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_0149DA30 7_2_0149DA30
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_0153C95C 7_2_0153C95C
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_01532B08 7_2_01532B08
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_015313C8 7_2_015313C8
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_0153B5C8 7_2_0153B5C8
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_015346B0 7_2_015346B0
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_01546890 7_2_01546890
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_01545B30 7_2_01545B30
Sample file is different than original file name gathered from version info
Source: Scan copy.exe, 00000000.00000002.226113577.0000000002BD1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameyZmFnldYFSznTuqDxTayTtUJG.exe4 vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000000.198627508.0000000000962000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.239479824.000000000E910000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.239479824.000000000E910000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000003.218712223.0000000003EDF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.239367857.000000000E820000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKygo.dll* vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.238846395.0000000008A90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan copy.exe
Source: Scan copy.exe, 00000007.00000000.224533623.0000000000D62000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
Source: Scan copy.exe, 00000007.00000002.477924509.0000000006430000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan copy.exe
Source: Scan copy.exe, 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameyZmFnldYFSznTuqDxTayTtUJG.exe4 vs Scan copy.exe
Source: Scan copy.exe, 00000007.00000002.469694000.00000000011D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Scan copy.exe
Source: Scan copy.exe, 00000007.00000002.469262654.00000000010F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Scan copy.exe
Source: Scan copy.exe Binary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
Uses 32bit PE files
Source: Scan copy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Scan copy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: emmrGOU.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.Scan copy.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Scan copy.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Scan copy.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Scan copy.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/5@1/1
Source: C:\Users\user\Desktop\Scan copy.exe File created: C:\Users\user\AppData\Roaming\emmrGOU.exe Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Mutant created: \Sessions\1\BaseNamedObjects\QnZoDGZEfCHgFbAtrpNXfgIt
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_01
Source: C:\Users\user\Desktop\Scan copy.exe File created: C:\Users\user\AppData\Local\Temp\tmp3F10.tmp Jump to behavior
Source: Scan copy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Scan copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Scan copy.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Scan copy.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\Scan copy.exe File read: C:\Users\user\Desktop\Scan copy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Scan copy.exe 'C:\Users\user\Desktop\Scan copy.exe'
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Scan copy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Scan copy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Scan copy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb source: Scan copy.exe
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb8 source: Scan copy.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Scan copy.exe, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: emmrGOU.exe.0.dr, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Scan copy.exe.870000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Scan copy.exe.870000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Scan copy.exe.c70000.1.unpack, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Scan copy.exe.c70000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Scan copy.exe.c70000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs .Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072761E8 push esp; iretd 0_2_072761E9
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072711C2 push ebx; iretd 0_2_072711C4
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 0_2_072711C9 push ebx; iretd 0_2_072711CE
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_0153BB1A pushfd ; iretd 7_2_0153BBB9
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_0153B3A8 pushfd ; retf 7_2_0153B3A9
Source: initial sample Static PE information: section name: .text entropy: 7.86391692068
Source: initial sample Static PE information: section name: .text entropy: 7.86391692068

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Scan copy.exe File created: C:\Users\user\AppData\Roaming\emmrGOU.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Scan copy.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Scan copy.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Scan copy.exe Window / User API: threadDelayed 2677 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Window / User API: threadDelayed 7171 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Scan copy.exe TID: 6076 Thread sleep time: -102260s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 3840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 6080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 5716 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 2128 Thread sleep count: 2677 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 2128 Thread sleep count: 7171 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Scan copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 102260 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Scan copy.exe, 00000007.00000002.471464886.00000000013CB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Scan copy.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Scan copy.exe Code function: 7_2_015388B0 LdrInitializeThunk, 7_2_015388B0
Enables debug privileges
Source: C:\Users\user\Desktop\Scan copy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Scan copy.exe Memory written: C:\Users\user\Desktop\Scan copy.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Process created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe Jump to behavior
Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Users\user\Desktop\Scan copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Users\user\Desktop\Scan copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY
Source: Yara match File source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Scan copy.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY
Source: Yara match File source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433218 Sample: Scan copy.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 13 other signatures 2->35 7 Scan copy.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\emmrGOU.exe, PE32 7->19 dropped 21 C:\Users\user\...\emmrGOU.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp3F10.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\Scan copy.exe.log, ASCII 7->25 dropped 37 Injects a PE file into a foreign processes 7->37 11 Scan copy.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.atlmexco.com 93.89.24.35, 49744, 49745, 587 BKVG-ASDE Turkey 11->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->39 41 Tries to steal Mail credentials (via file access) 11->41 43 Tries to harvest and steal ftp login credentials 11->43 45 2 other signatures 11->45 17 conhost.exe 15->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.89.24.35
 smtp.atlmexco.com Turkey
29141 BKVG-ASDE true

Contacted Domains

Name IP Active
smtp.atlmexco.com 93.89.24.35 true