Analysis Report OMANTECH PRODUCTS.exe

Overview

General Information

Sample Name:	OMANTECH PRODUCTS.exe
Analysis ID:	433265
MD5:	1603b2e2474ac57ba3ee0ae98357b50c
SHA1:	a50dbd334f5d9a67c51b399dfc9c8b44b5514e59
SHA256:	1e718cc81b172505bab7576339bb954e9911c79c95c67430355afc493d075a2e
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jokelogs@omnlltd.comE#@Dfb$LbM)Mserver126.web-hosting.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OMANTECH PRODUCTS.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22258
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23578
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23568
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372258
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373578
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373568
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C2370
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C235F
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3680
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3690

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.126.165 198.54.126.165

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

Source: unknown

DNS traffic detected: queries for: server126.web-hosting.com

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://ronNgX.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000003.537622624.0000000001574000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.593596516.0000000003631000.00000004.00000001.sdmp	String found in binary or memory: http://sAxmBjuRp77zUAl6sU9.org
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328176976.0000000002AE1000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414659740.00000000034B1000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442743867.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.594511046.00000000036AB000.00000004.00000001.sdmp	String found in binary or memory: http://server126.web-hosting.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large array initializations

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931

Detected potential crypto function

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5AC	1_2_0112B5AC
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112E470	1_2_0112E470
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112CA2B	1_2_0112CA2B
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B1E0	1_2_0112B1E0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5A0	1_2_0112B5A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B21924	1_2_04B21924
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20006	1_2_04B20006
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20040	1_2_04B20040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A100	1_2_0505A100
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A0F3	1_2_0505A0F3
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017368B0	3_2_017368B0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01735B50	3_2_01735B50
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173E2C8	3_2_0173E2C8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01777DC4	3_2_01777DC4
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770040	3_2_01770040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017747F8	3_2_017747F8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177C668	3_2_0177C668
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CDA8	3_2_0177CDA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770012	3_2_01770012
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01776C08	3_2_01776C08
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017718D8	3_2_017718D8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CEA8	3_2_0177CEA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_018746A0	3_2_018746A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874690	3_2_01874690
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874650	3_2_01874650
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0187D981	3_2_0187D981
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_06771F68	3_2_06771F68
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03371924	7_2_03371924
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370036	7_2_03370036
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370040	7_2_03370040
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343CA00	7_2_0343CA00
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343B1E0	7_2_0343B1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA100	7_2_059BA100
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA0F2	7_2_059BA0F2
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015746A0	9_2_015746A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015745B0	9_2_015745B0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0157D981	9_2_0157D981
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A94F8	9_2_063A94F8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A7540	9_2_063A7540
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063AB0E8	9_2_063AB0E8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6928	9_2_063A6928
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6C70	9_2_063A6C70
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE450	11_2_00CEE450
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5AC	11_2_00CEB5AC
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CE9B08	11_2_00CE9B08
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE470	11_2_00CEE470
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CECA2B	11_2_00CECA2B
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB1E0	11_2_00CEB1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5A0	11_2_00CEB5A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C1A3C	11_2_010C1A3C
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0006	11_2_010C0006
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0040	11_2_010C0040

PE file contains strange resources

Source: OMANTECH PRODUCTS.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EupFNx.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000000.316936742.00000000007A0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000000.324326070.0000000001030000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590174499.0000000001760000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590230809.0000000001780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590385601.00000000017F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.583527597.00000000011D8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe

Uses 32bit PE files

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: EupFNx.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@2/1

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OMANTECH PRODUCTS.exe.log

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File read: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe 'C:\Users\user\Desktop\OMANTECH PRODUCTS.exe'
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112EC90 push eax; ret	1_2_0112EC91
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173B597 push edi; retn 0000h	3_2_0173B599
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173D4F8 pushad ; iretd	3_2_0173D541
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181E333 push eax; ret	3_2_0181E349
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181D95C push eax; ret	3_2_0181D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343EC90 push eax; ret	7_2_0343EC91
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151D95C push eax; ret	9_2_0151D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151E348 push eax; ret	9_2_0151E349
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEEC90 push eax; ret	11_2_00CEEC91

Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931
Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 1_2_006C3C35 sldt word ptr [eax]

1_2_006C3C35

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window / User API: threadDelayed 9598	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 1393	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 8417	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6700	Thread sleep time: -102952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 4844	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 9598 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6332	Thread sleep time: -101189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6064	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 559 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6444	Thread sleep time: -99633s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 1393 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 8417 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep count: 42 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 102952	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 101189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 99633	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 3_2_01730A76 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_01730A76

Enables debug privileges

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Code function: 9_2_063A5A94 GetUserNameW,

9_2_063A5A94

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.126.165	server126.web-hosting.com	United States		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
server126.web-hosting.com	198.54.126.165	true

AV Detection:

Found malware configuration

Source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jokelogs@omnlltd.comE#@Dfb$LbM)Mserver126.web-hosting.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OMANTECH PRODUCTS.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22258
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23578
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23568
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372258
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373578
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373568
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C2370
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C235F
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3680
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3690

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.126.165 198.54.126.165

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

Source: unknown

DNS traffic detected: queries for: server126.web-hosting.com

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://ronNgX.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000003.537622624.0000000001574000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.593596516.0000000003631000.00000004.00000001.sdmp	String found in binary or memory: http://sAxmBjuRp77zUAl6sU9.org
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328176976.0000000002AE1000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414659740.00000000034B1000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442743867.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.594511046.00000000036AB000.00000004.00000001.sdmp	String found in binary or memory: http://server126.web-hosting.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large array initializations

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931

Detected potential crypto function

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5AC	1_2_0112B5AC
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112E470	1_2_0112E470
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112CA2B	1_2_0112CA2B
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B1E0	1_2_0112B1E0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5A0	1_2_0112B5A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B21924	1_2_04B21924
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20006	1_2_04B20006
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20040	1_2_04B20040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A100	1_2_0505A100
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A0F3	1_2_0505A0F3
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017368B0	3_2_017368B0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01735B50	3_2_01735B50
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173E2C8	3_2_0173E2C8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01777DC4	3_2_01777DC4
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770040	3_2_01770040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017747F8	3_2_017747F8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177C668	3_2_0177C668
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CDA8	3_2_0177CDA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770012	3_2_01770012
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01776C08	3_2_01776C08
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017718D8	3_2_017718D8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CEA8	3_2_0177CEA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_018746A0	3_2_018746A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874690	3_2_01874690
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874650	3_2_01874650
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0187D981	3_2_0187D981
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_06771F68	3_2_06771F68
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03371924	7_2_03371924
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370036	7_2_03370036
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370040	7_2_03370040
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343CA00	7_2_0343CA00
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343B1E0	7_2_0343B1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA100	7_2_059BA100
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA0F2	7_2_059BA0F2
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015746A0	9_2_015746A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015745B0	9_2_015745B0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0157D981	9_2_0157D981
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A94F8	9_2_063A94F8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A7540	9_2_063A7540
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063AB0E8	9_2_063AB0E8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6928	9_2_063A6928
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6C70	9_2_063A6C70
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE450	11_2_00CEE450
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5AC	11_2_00CEB5AC
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CE9B08	11_2_00CE9B08
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE470	11_2_00CEE470
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CECA2B	11_2_00CECA2B
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB1E0	11_2_00CEB1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5A0	11_2_00CEB5A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C1A3C	11_2_010C1A3C
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0006	11_2_010C0006
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0040	11_2_010C0040

PE file contains strange resources

Source: OMANTECH PRODUCTS.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EupFNx.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000000.316936742.00000000007A0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000000.324326070.0000000001030000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590174499.0000000001760000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590230809.0000000001780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590385601.00000000017F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.583527597.00000000011D8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe

Uses 32bit PE files

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: EupFNx.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@2/1

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OMANTECH PRODUCTS.exe.log

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File read: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe 'C:\Users\user\Desktop\OMANTECH PRODUCTS.exe'
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112EC90 push eax; ret	1_2_0112EC91
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173B597 push edi; retn 0000h	3_2_0173B599
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173D4F8 pushad ; iretd	3_2_0173D541
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181E333 push eax; ret	3_2_0181E349
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181D95C push eax; ret	3_2_0181D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343EC90 push eax; ret	7_2_0343EC91
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151D95C push eax; ret	9_2_0151D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151E348 push eax; ret	9_2_0151E349
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEEC90 push eax; ret	11_2_00CEEC91

Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931
Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 1_2_006C3C35 sldt word ptr [eax]

1_2_006C3C35

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window / User API: threadDelayed 9598	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 1393	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 8417	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6700	Thread sleep time: -102952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 4844	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 9598 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6332	Thread sleep time: -101189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6064	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 559 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6444	Thread sleep time: -99633s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 1393 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 8417 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep count: 42 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 102952	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 101189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 99633	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 3_2_01730A76 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_01730A76

Enables debug privileges

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Code function: 9_2_063A5A94 GetUserNameW,

9_2_063A5A94

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

ID:	433265
Product:	CloudBasic
Start time:	14:59:16
Start date:	11.06.2021
Sample:	OMANTECH PRODUCTS.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1603b2e2474ac57ba3ee0ae98357b50c
SHA1:	a50dbd334f5d9a67c51b399dfc9c8b44b5514e59
SHA256:	1e718cc81b172505bab7576339bb954e9911c79c95c67430355afc493d075a2e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EupFNx.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OMANTECH PRODUCTS.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1603B2E2474AC57BA3EE0AE98357B50C	A50DBD334F5D9A67C51B399DFC9C8B44B5514E59	1E718CC81B172505BAB7576339BB954E9911C79C95C67430355AFC493D075A2E
C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\a0rwr13c.dji\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17

Analysis Report OMANTECH PRODUCTS.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains