Windows Analysis Report
scan-copy 202204.exe

Overview

General Information

Sample Name: scan-copy 202204.exe
Analysis ID: 612083
MD5: ce536566bed415b6be2b7635cfb03af0
SHA1: 0845827e4dd7ab05ea5faeda57b93f2912fb04fe
SHA256: 8722d6807e6c18d74f0c1ebea1f10d4f82038985b553917b2a6df36745299ed2
Tags: exeFormbookxloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.tenacityshipping.com/s59h/"], "decoy": ["2028my.icu", "svijet-zastite.com", "zwinz.store", "munixc.info", "falcongroupmanagement.com", "aerionsys.com", "hvbatterystore.com", "guidedleveledreading.com", "dayral-review.com", "globalethinvest.com", "mobilecoin.art", "routetree4life.com", "mas-traders.com", "helioolson.com", "hrbwanjinda.com", "tangerinesafe.com", "gabriellemariaphotos.com", "uuckpp.com", "fzshangmao.net", "wanwuchuangyi.com", "insurewithsfg.com", "throwpillowco.com", "whphllc.com", "cndh335.com", "172pelleport.paris", "fuckingharder.com", "avernoon.art", "numatachuo-rc.com", "fogelsingleywedding.com", "lkhomedevelopment.com", "yueoo.info", "paohuangfilms.com", "eacente.info", "yanhuige.com", "xiyuganguo.com", "drutoshebabd.com", "heimeasure.xyz", "efatebejo.xyz", "sjpestcontroller.com", "jid-studio.com", "eoscleaner.com", "idetechco.com", "yyjlzm.com", "staneinvest.com", "flameys.com", "brickstoneinvestmentltd.com", "dicechess.website", "allgamescracked.com", "yuuhaisin.com", "juvearoma.com", "damancavexclusive.com", "everydayanarchism.com", "cicisolutions.host", "dpfibras.com", "anudessk.info", "onszfitness.com", "dlino.online", "thelocalmarketrealestate.com", "eco-friendly.one", "bacnebuster.com", "sparagussolutions.com", "advertising-creations.com", "joanthemoneymentor.com", "cqgongzuotai.com"]}
Multi AV Scanner detection for submitted file
Source: scan-copy 202204.exe Virustotal: Detection: 30% Perma Link
Source: scan-copy 202204.exe ReversingLabs: Detection: 14%
Yara detected FormBook
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: scan-copy 202204.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.scan-copy 202204.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.scan-copy 202204.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.scan-copy 202204.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.2.scan-copy 202204.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: scan-copy 202204.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: scan-copy 202204.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: scan-copy 202204.exe, 0000000F.00000002.421704804.00000000031C0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: scan-copy 202204.exe, 0000000F.00000002.420091467.000000000141F000.00000040.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 0000000F.00000002.418886183.0000000001300000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.525919808.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.527450554.0000000004E2F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: scan-copy 202204.exe, scan-copy 202204.exe, 0000000F.00000002.420091467.000000000141F000.00000040.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 0000000F.00000002.418886183.0000000001300000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000012.00000002.525919808.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.527450554.0000000004E2F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: scan-copy 202204.exe, 0000000F.00000002.421704804.00000000031C0000.00000040.10000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 4x nop then pop edi 15_2_004161B1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 4x nop then pop edi 15_2_0041620F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 18_2_00AC61B1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 18_2_00AC620F

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.eco-friendly.one
Source: C:\Windows\explorer.exe Network Connect: 198.54.114.195 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brickstoneinvestmentltd.com
Yara detected Generic Downloader
Source: Yara match File source: scan-copy 202204.exe, type: SAMPLE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.msdt.exe.524796c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.scan-copy 202204.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.msdt.exe.d26668.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.scan-copy 202204.exe.cc0000.0.unpack, type: UNPACKEDPE
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.tenacityshipping.com/s59h/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/964082530275954728/966271154442612776/Usevbg_Pzmwkikx.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s59h/?gPt=J9yIbbq2JC4kGJ28zSLAHEMUc2712/mbh0KUqSU+6gyJcm/2qQQ0g7MEmxyaj1IcJpiC&wTOHf=8pqLRLgpXn9D HTTP/1.1Host: www.brickstoneinvestmentltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: scan-copy 202204.exe, 00000000.00000002.349221801.00000000014A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: scan-copy 202204.exe, 00000000.00000002.349702121.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: scan-copy 202204.exe, 00000000.00000002.352009478.0000000007132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: scan-copy 202204.exe, 00000000.00000002.349702121.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: scan-copy 202204.exe String found in binary or memory: https://cdn.discordapp.com/attachments/964082530275954728/966271154442612776/Usevbg_Pzmwkikx.bmp
Source: scan-copy 202204.exe, 00000000.00000002.349702121.00000000030F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/964082530275954728/966271154442612776/Usevbg_Pzmwkikx.bmpt%0l
Source: scan-copy 202204.exe, 00000000.00000002.349938512.000000000322A000.00000004.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 00000000.00000002.349788764.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: scan-copy 202204.exe, 00000000.00000002.349938512.000000000322A000.00000004.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 00000000.00000002.349788764.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: scan-copy 202204.exe, 00000000.00000002.349938512.000000000322A000.00000004.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 00000000.00000002.349788764.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: msdt.exe, 00000012.00000002.528983601.00000000053C2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.brickstoneinvestmentltd.com/s59h/?gPt=J9yIbbq2JC4kGJ28zSLAHEMUc2712/mbh0KUqSU
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/964082530275954728/966271154442612776/Usevbg_Pzmwkikx.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s59h/?gPt=J9yIbbq2JC4kGJ28zSLAHEMUc2712/mbh0KUqSU+6gyJcm/2qQQ0g7MEmxyaj1IcJpiC&wTOHf=8pqLRLgpXn9D HTTP/1.1Host: www.brickstoneinvestmentltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49742 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: scan-copy 202204.exe, 00000000.00000002.349136480.0000000001460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: scan-copy 202204.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: scan-copy 202204.exe, type: SAMPLE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.860000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.scan-copy 202204.exe.860000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.860000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.scan-copy 202204.exe.860000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 18.2.msdt.exe.524796c.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.scan-copy 202204.exe.860000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.860000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.860000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.860000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.scan-copy 202204.exe.cc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.msdt.exe.d26668.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.scan-copy 202204.exe.cc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 0_2_00CC22A8 0_2_00CC22A8
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 0_2_013EC284 0_2_013EC284
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 0_2_013EE650 0_2_013EE650
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 0_2_013EE640 0_2_013EE640
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 0_2_00CC2050 0_2_00CC2050
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00401028 15_2_00401028
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00401030 15_2_00401030
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041B8D6 15_2_0041B8D6
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041C097 15_2_0041C097
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041C976 15_2_0041C976
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041C10D 15_2_0041C10D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0040120A 15_2_0040120A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041D20E 15_2_0041D20E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041C477 15_2_0041C477
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00408C8C 15_2_00408C8C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00408C90 15_2_00408C90
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00402D87 15_2_00402D87
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00402D90 15_2_00402D90
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041C60E 15_2_0041C60E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00402FB0 15_2_00402FB0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_008622A8 15_2_008622A8
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132F900 15_2_0132F900
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1002 15_2_013E1002
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F20A8 15_2_013F20A8
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133B090 15_2_0133B090
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F28EC 15_2_013F28EC
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F2B28 15_2_013F2B28
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135EBB0 15_2_0135EBB0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EDBD2 15_2_013EDBD2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F22AE 15_2_013F22AE
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01320D20 15_2_01320D20
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F2D07 15_2_013F2D07
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F1D55 15_2_013F1D55
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352581 15_2_01352581
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133D5E0 15_2_0133D5E0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F25DD 15_2_013F25DD
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133841F 15_2_0133841F
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013ED466 15_2_013ED466
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F1FF1 15_2_013F1FF1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01346E30 15_2_01346E30
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013ED616 15_2_013ED616
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F2EF7 15_2_013F2EF7
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00862050 15_2_00862050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFD466 18_2_04DFD466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4841F 18_2_04D4841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4D5E0 18_2_04D4D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E025DD 18_2_04E025DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62581 18_2_04D62581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E01D55 18_2_04E01D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E02D07 18_2_04E02D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D30D20 18_2_04D30D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E02EF7 18_2_04E02EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFD616 18_2_04DFD616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D56E30 18_2_04D56E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E01FF1 18_2_04E01FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E028EC 18_2_04E028EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4B090 18_2_04D4B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E020A8 18_2_04E020A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1002 18_2_04DF1002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3F900 18_2_04D3F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E022AE 18_2_04E022AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFDBD2 18_2_04DFDBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6EBB0 18_2_04D6EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E02B28 18_2_04E02B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACC097 18_2_00ACC097
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACB8D6 18_2_00ACB8D6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACC976 18_2_00ACC976
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AB8C8C 18_2_00AB8C8C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AB8C90 18_2_00AB8C90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AB2D87 18_2_00AB2D87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AB2D90 18_2_00AB2D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AB2FB0 18_2_00AB2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: String function: 0132B150 appears 35 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04D3B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004185F0 NtCreateFile, 15_2_004185F0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004186A0 NtReadFile, 15_2_004186A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00418720 NtClose, 15_2_00418720
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004187D0 NtAllocateVirtualMemory, 15_2_004187D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041869A NtReadFile, 15_2_0041869A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041871A NtClose, 15_2_0041871A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_01369910
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013699A0 NtCreateSection,LdrInitializeThunk, 15_2_013699A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_01369860
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369840 NtDelayExecution,LdrInitializeThunk, 15_2_01369840
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk, 15_2_013698F0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369A20 NtResumeThread,LdrInitializeThunk, 15_2_01369A20
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk, 15_2_01369A00
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369A50 NtCreateFile,LdrInitializeThunk, 15_2_01369A50
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369540 NtReadFile,LdrInitializeThunk, 15_2_01369540
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013695D0 NtClose,LdrInitializeThunk, 15_2_013695D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369710 NtQueryInformationToken,LdrInitializeThunk, 15_2_01369710
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013697A0 NtUnmapViewOfSection,LdrInitializeThunk, 15_2_013697A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369780 NtMapViewOfSection,LdrInitializeThunk, 15_2_01369780
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369FE0 NtCreateMutant,LdrInitializeThunk, 15_2_01369FE0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_01369660
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_013696E0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369950 NtQueueApcThread, 15_2_01369950
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013699D0 NtCreateProcessEx, 15_2_013699D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369820 NtEnumerateKey, 15_2_01369820
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136B040 NtSuspendThread, 15_2_0136B040
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013698A0 NtWriteVirtualMemory, 15_2_013698A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369B00 NtSetValueKey, 15_2_01369B00
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136A3B0 NtGetContextThread, 15_2_0136A3B0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369A10 NtQuerySection, 15_2_01369A10
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369A80 NtOpenDirectoryObject, 15_2_01369A80
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136AD30 NtSetContextThread, 15_2_0136AD30
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369520 NtWaitForSingleObject, 15_2_01369520
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369560 NtWriteFile, 15_2_01369560
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013695F0 NtQueryInformationFile, 15_2_013695F0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369730 NtQueryVirtualMemory, 15_2_01369730
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136A710 NtOpenProcessToken, 15_2_0136A710
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136A770 NtOpenThread, 15_2_0136A770
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369770 NtSetInformationFile, 15_2_01369770
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369760 NtOpenProcess, 15_2_01369760
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369610 NtEnumerateValueKey, 15_2_01369610
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369670 NtQueryInformationProcess, 15_2_01369670
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01369650 NtQueryValueKey, 15_2_01369650
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013696D0 NtCreateKey, 15_2_013696D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D795D0 NtClose,LdrInitializeThunk, 18_2_04D795D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79540 NtReadFile,LdrInitializeThunk, 18_2_04D79540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D796D0 NtCreateKey,LdrInitializeThunk, 18_2_04D796D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D796E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_04D796E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79650 NtQueryValueKey,LdrInitializeThunk, 18_2_04D79650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04D79660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79FE0 NtCreateMutant,LdrInitializeThunk, 18_2_04D79FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79780 NtMapViewOfSection,LdrInitializeThunk, 18_2_04D79780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79710 NtQueryInformationToken,LdrInitializeThunk, 18_2_04D79710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79840 NtDelayExecution,LdrInitializeThunk, 18_2_04D79840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04D79860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D799A0 NtCreateSection,LdrInitializeThunk, 18_2_04D799A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04D79910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79A50 NtCreateFile,LdrInitializeThunk, 18_2_04D79A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D795F0 NtQueryInformationFile, 18_2_04D795F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79560 NtWriteFile, 18_2_04D79560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7AD30 NtSetContextThread, 18_2_04D7AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79520 NtWaitForSingleObject, 18_2_04D79520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79670 NtQueryInformationProcess, 18_2_04D79670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79610 NtEnumerateValueKey, 18_2_04D79610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D797A0 NtUnmapViewOfSection, 18_2_04D797A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7A770 NtOpenThread, 18_2_04D7A770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79770 NtSetInformationFile, 18_2_04D79770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79760 NtOpenProcess, 18_2_04D79760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7A710 NtOpenProcessToken, 18_2_04D7A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79730 NtQueryVirtualMemory, 18_2_04D79730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D798F0 NtReadVirtualMemory, 18_2_04D798F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D798A0 NtWriteVirtualMemory, 18_2_04D798A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7B040 NtSuspendThread, 18_2_04D7B040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79820 NtEnumerateKey, 18_2_04D79820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D799D0 NtCreateProcessEx, 18_2_04D799D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79950 NtQueueApcThread, 18_2_04D79950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79A80 NtOpenDirectoryObject, 18_2_04D79A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79A10 NtQuerySection, 18_2_04D79A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79A00 NtProtectVirtualMemory, 18_2_04D79A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79A20 NtResumeThread, 18_2_04D79A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7A3B0 NtGetContextThread, 18_2_04D7A3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D79B00 NtSetValueKey, 18_2_04D79B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC85F0 NtCreateFile, 18_2_00AC85F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC86A0 NtReadFile, 18_2_00AC86A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC87D0 NtAllocateVirtualMemory, 18_2_00AC87D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC8720 NtClose, 18_2_00AC8720
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC869A NtReadFile, 18_2_00AC869A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC871A NtClose, 18_2_00AC871A
PE file contains executable resources (Code or Archives)
Source: scan-copy 202204.exe Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Sample file is different than original file name gathered from version info
Source: scan-copy 202204.exe, 00000000.00000002.354024291.00000000082F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBinsyn.dll" vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 00000000.00000002.348579760.0000000000CC6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUsevbg.exe0 vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 00000000.00000002.349136480.0000000001460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 00000000.00000003.343858916.00000000042D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBinsyn.dll" vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 00000000.00000003.344178093.0000000004610000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBinsyn.dll" vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 00000000.00000002.349788764.0000000003141000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 0000000F.00000002.420861386.00000000015AF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 0000000F.00000002.418044910.0000000000866000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUsevbg.exe0 vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 0000000F.00000002.420091467.000000000141F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs scan-copy 202204.exe
Source: scan-copy 202204.exe, 0000000F.00000002.421704804.00000000031C0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs scan-copy 202204.exe
Source: scan-copy 202204.exe Binary or memory string: OriginalFilenameUsevbg.exe0 vs scan-copy 202204.exe
PE file contains strange resources
Source: scan-copy 202204.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: scan-copy 202204.exe Virustotal: Detection: 30%
Source: scan-copy 202204.exe ReversingLabs: Detection: 14%
Source: scan-copy 202204.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\scan-copy 202204.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\scan-copy 202204.exe "C:\Users\user\Desktop\scan-copy 202204.exe"
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Users\user\Desktop\scan-copy 202204.exe C:\Users\user\Desktop\scan-copy 202204.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\scan-copy 202204.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Users\user\Desktop\scan-copy 202204.exe C:\Users\user\Desktop\scan-copy 202204.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\scan-copy 202204.exe" Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan-copy 202204.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/1@4/2
Source: C:\Users\user\Desktop\scan-copy 202204.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_01
Source: C:\Users\user\Desktop\scan-copy 202204.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: scan-copy 202204.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: scan-copy 202204.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: scan-copy 202204.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msdt.pdbGCTL source: scan-copy 202204.exe, 0000000F.00000002.421704804.00000000031C0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: scan-copy 202204.exe, 0000000F.00000002.420091467.000000000141F000.00000040.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 0000000F.00000002.418886183.0000000001300000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.525919808.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.527450554.0000000004E2F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: scan-copy 202204.exe, scan-copy 202204.exe, 0000000F.00000002.420091467.000000000141F000.00000040.00000800.00020000.00000000.sdmp, scan-copy 202204.exe, 0000000F.00000002.418886183.0000000001300000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000012.00000002.525919808.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000012.00000002.527450554.0000000004E2F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: scan-copy 202204.exe, 0000000F.00000002.421704804.00000000031C0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: scan-copy 202204.exe, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.scan-copy 202204.exe.cc0000.0.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.scan-copy 202204.exe.cc0000.0.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.0.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.5.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.2.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.3.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.scan-copy 202204.exe.860000.1.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.1.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.7.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.scan-copy 202204.exe.860000.9.unpack, Form4.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00415823 push ebp; iretd 15_2_00415825
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041B832 push eax; ret 15_2_0041B838
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041B83B push eax; ret 15_2_0041B8A2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041B89C push eax; ret 15_2_0041B8A2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004160B6 push esi; iretd 15_2_004160E3
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0040A15B push esi; ret 15_2_0040A15C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00416119 push esi; iretd 15_2_004160E3
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00416119 pushad ; iretd 15_2_00416130
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00418186 push ebx; iretd 15_2_00418187
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0040F3A1 push dword ptr [ecx+6Bh]; ret 15_2_0040F3AF
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00415CE4 push ebp; ret 15_2_00415CE5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041AF71 push edi; retf 15_2_0041AF72
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0041B7E5 push eax; ret 15_2_0041B838
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0137D0D1 push ecx; ret 15_2_0137D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D8D0D1 push ecx; ret 18_2_04D8D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC60B6 push esi; iretd 18_2_00AC60E3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACB89C push eax; ret 18_2_00ACB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC5823 push ebp; iretd 18_2_00AC5825
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACB83B push eax; ret 18_2_00ACB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACB832 push eax; ret 18_2_00ACB838
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC8186 push ebx; iretd 18_2_00AC8187
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC6119 push esi; iretd 18_2_00AC60E3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC6119 pushad ; iretd 18_2_00AC6130
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ABA15B push esi; ret 18_2_00ABA15C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ABF3A1 push dword ptr [ecx+6Bh]; ret 18_2_00ABF3AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00AC5CE4 push ebp; ret 18_2_00AC5CE5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACB7E5 push eax; ret 18_2_00ACB838
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_00ACAF71 push edi; retf 18_2_00ACAF72
Binary contains a suspicious time stamp
Source: scan-copy 202204.exe Static PE information: 0xF64312B7 [Sat Dec 4 08:07:19 2100 UTC]

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (92).png
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\scan-copy 202204.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\scan-copy 202204.exe" Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\scan-copy 202204.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\scan-copy 202204.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000AB8614 second address: 0000000000AB861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000AB89AE second address: 0000000000AB89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\scan-copy 202204.exe TID: 7020 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe TID: 6348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4404 Thread sleep count: 68 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004088E0 rdtsc 15_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\scan-copy 202204.exe API coverage: 9.0 %
Source: C:\Windows\SysWOW64\msdt.exe API coverage: 9.5 %
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000010.00000000.376881559.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.368666508.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000010.00000000.359538036.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.386457348.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.359538036.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000010.00000000.373892210.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.359538036.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000010.00000000.370878585.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000010.00000000.377156311.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.359538036.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000010.00000000.376881559.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: scan-copy 202204.exe, 00000000.00000002.349334643.000000000152F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000010.00000000.359538036.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_004088E0 rdtsc 15_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135513A mov eax, dword ptr fs:[00000030h] 15_2_0135513A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135513A mov eax, dword ptr fs:[00000030h] 15_2_0135513A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 mov eax, dword ptr fs:[00000030h] 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 mov eax, dword ptr fs:[00000030h] 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 mov eax, dword ptr fs:[00000030h] 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 mov eax, dword ptr fs:[00000030h] 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01344120 mov ecx, dword ptr fs:[00000030h] 15_2_01344120
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329100 mov eax, dword ptr fs:[00000030h] 15_2_01329100
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329100 mov eax, dword ptr fs:[00000030h] 15_2_01329100
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329100 mov eax, dword ptr fs:[00000030h] 15_2_01329100
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132B171 mov eax, dword ptr fs:[00000030h] 15_2_0132B171
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132B171 mov eax, dword ptr fs:[00000030h] 15_2_0132B171
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132C962 mov eax, dword ptr fs:[00000030h] 15_2_0132C962
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134B944 mov eax, dword ptr fs:[00000030h] 15_2_0134B944
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134B944 mov eax, dword ptr fs:[00000030h] 15_2_0134B944
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A51BE mov eax, dword ptr fs:[00000030h] 15_2_013A51BE
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A51BE mov eax, dword ptr fs:[00000030h] 15_2_013A51BE
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A51BE mov eax, dword ptr fs:[00000030h] 15_2_013A51BE
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A51BE mov eax, dword ptr fs:[00000030h] 15_2_013A51BE
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013561A0 mov eax, dword ptr fs:[00000030h] 15_2_013561A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013561A0 mov eax, dword ptr fs:[00000030h] 15_2_013561A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A69A6 mov eax, dword ptr fs:[00000030h] 15_2_013A69A6
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352990 mov eax, dword ptr fs:[00000030h] 15_2_01352990
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A185 mov eax, dword ptr fs:[00000030h] 15_2_0135A185
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134C182 mov eax, dword ptr fs:[00000030h] 15_2_0134C182
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013B41E8 mov eax, dword ptr fs:[00000030h] 15_2_013B41E8
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0132B1E1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0132B1E1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0132B1E1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135002D mov eax, dword ptr fs:[00000030h] 15_2_0135002D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135002D mov eax, dword ptr fs:[00000030h] 15_2_0135002D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135002D mov eax, dword ptr fs:[00000030h] 15_2_0135002D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135002D mov eax, dword ptr fs:[00000030h] 15_2_0135002D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135002D mov eax, dword ptr fs:[00000030h] 15_2_0135002D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133B02A mov eax, dword ptr fs:[00000030h] 15_2_0133B02A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133B02A mov eax, dword ptr fs:[00000030h] 15_2_0133B02A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133B02A mov eax, dword ptr fs:[00000030h] 15_2_0133B02A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133B02A mov eax, dword ptr fs:[00000030h] 15_2_0133B02A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F4015 mov eax, dword ptr fs:[00000030h] 15_2_013F4015
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F4015 mov eax, dword ptr fs:[00000030h] 15_2_013F4015
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7016 mov eax, dword ptr fs:[00000030h] 15_2_013A7016
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7016 mov eax, dword ptr fs:[00000030h] 15_2_013A7016
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7016 mov eax, dword ptr fs:[00000030h] 15_2_013A7016
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F1074 mov eax, dword ptr fs:[00000030h] 15_2_013F1074
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E2073 mov eax, dword ptr fs:[00000030h] 15_2_013E2073
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01340050 mov eax, dword ptr fs:[00000030h] 15_2_01340050
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01340050 mov eax, dword ptr fs:[00000030h] 15_2_01340050
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135F0BF mov ecx, dword ptr fs:[00000030h] 15_2_0135F0BF
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135F0BF mov eax, dword ptr fs:[00000030h] 15_2_0135F0BF
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135F0BF mov eax, dword ptr fs:[00000030h] 15_2_0135F0BF
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013520A0 mov eax, dword ptr fs:[00000030h] 15_2_013520A0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013690AF mov eax, dword ptr fs:[00000030h] 15_2_013690AF
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329080 mov eax, dword ptr fs:[00000030h] 15_2_01329080
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A3884 mov eax, dword ptr fs:[00000030h] 15_2_013A3884
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A3884 mov eax, dword ptr fs:[00000030h] 15_2_013A3884
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013258EC mov eax, dword ptr fs:[00000030h] 15_2_013258EC
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov ecx, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 15_2_013BB8D0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E131B mov eax, dword ptr fs:[00000030h] 15_2_013E131B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01353B7A mov eax, dword ptr fs:[00000030h] 15_2_01353B7A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01353B7A mov eax, dword ptr fs:[00000030h] 15_2_01353B7A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132DB60 mov ecx, dword ptr fs:[00000030h] 15_2_0132DB60
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8B58 mov eax, dword ptr fs:[00000030h] 15_2_013F8B58
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132F358 mov eax, dword ptr fs:[00000030h] 15_2_0132F358
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132DB40 mov eax, dword ptr fs:[00000030h] 15_2_0132DB40
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354BAD mov eax, dword ptr fs:[00000030h] 15_2_01354BAD
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354BAD mov eax, dword ptr fs:[00000030h] 15_2_01354BAD
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354BAD mov eax, dword ptr fs:[00000030h] 15_2_01354BAD
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F5BA5 mov eax, dword ptr fs:[00000030h] 15_2_013F5BA5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352397 mov eax, dword ptr fs:[00000030h] 15_2_01352397
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135B390 mov eax, dword ptr fs:[00000030h] 15_2_0135B390
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E138A mov eax, dword ptr fs:[00000030h] 15_2_013E138A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01331B8F mov eax, dword ptr fs:[00000030h] 15_2_01331B8F
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01331B8F mov eax, dword ptr fs:[00000030h] 15_2_01331B8F
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013DD380 mov ecx, dword ptr fs:[00000030h] 15_2_013DD380
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013503E2 mov eax, dword ptr fs:[00000030h] 15_2_013503E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134DBE9 mov eax, dword ptr fs:[00000030h] 15_2_0134DBE9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A53CA mov eax, dword ptr fs:[00000030h] 15_2_013A53CA
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A53CA mov eax, dword ptr fs:[00000030h] 15_2_013A53CA
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01364A2C mov eax, dword ptr fs:[00000030h] 15_2_01364A2C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01364A2C mov eax, dword ptr fs:[00000030h] 15_2_01364A2C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01325210 mov eax, dword ptr fs:[00000030h] 15_2_01325210
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01325210 mov ecx, dword ptr fs:[00000030h] 15_2_01325210
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01325210 mov eax, dword ptr fs:[00000030h] 15_2_01325210
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01325210 mov eax, dword ptr fs:[00000030h] 15_2_01325210
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132AA16 mov eax, dword ptr fs:[00000030h] 15_2_0132AA16
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132AA16 mov eax, dword ptr fs:[00000030h] 15_2_0132AA16
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01343A1C mov eax, dword ptr fs:[00000030h] 15_2_01343A1C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EAA16 mov eax, dword ptr fs:[00000030h] 15_2_013EAA16
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EAA16 mov eax, dword ptr fs:[00000030h] 15_2_013EAA16
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01338A0A mov eax, dword ptr fs:[00000030h] 15_2_01338A0A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0136927A mov eax, dword ptr fs:[00000030h] 15_2_0136927A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013DB260 mov eax, dword ptr fs:[00000030h] 15_2_013DB260
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013DB260 mov eax, dword ptr fs:[00000030h] 15_2_013DB260
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8A62 mov eax, dword ptr fs:[00000030h] 15_2_013F8A62
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EEA55 mov eax, dword ptr fs:[00000030h] 15_2_013EEA55
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013B4257 mov eax, dword ptr fs:[00000030h] 15_2_013B4257
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329240 mov eax, dword ptr fs:[00000030h] 15_2_01329240
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329240 mov eax, dword ptr fs:[00000030h] 15_2_01329240
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329240 mov eax, dword ptr fs:[00000030h] 15_2_01329240
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01329240 mov eax, dword ptr fs:[00000030h] 15_2_01329240
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0133AAB0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0133AAB0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135FAB0 mov eax, dword ptr fs:[00000030h] 15_2_0135FAB0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013252A5 mov eax, dword ptr fs:[00000030h] 15_2_013252A5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013252A5 mov eax, dword ptr fs:[00000030h] 15_2_013252A5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013252A5 mov eax, dword ptr fs:[00000030h] 15_2_013252A5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013252A5 mov eax, dword ptr fs:[00000030h] 15_2_013252A5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013252A5 mov eax, dword ptr fs:[00000030h] 15_2_013252A5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135D294 mov eax, dword ptr fs:[00000030h] 15_2_0135D294
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135D294 mov eax, dword ptr fs:[00000030h] 15_2_0135D294
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352AE4 mov eax, dword ptr fs:[00000030h] 15_2_01352AE4
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352ACB mov eax, dword ptr fs:[00000030h] 15_2_01352ACB
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132AD30 mov eax, dword ptr fs:[00000030h] 15_2_0132AD30
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01333D34 mov eax, dword ptr fs:[00000030h] 15_2_01333D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EE539 mov eax, dword ptr fs:[00000030h] 15_2_013EE539
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8D34 mov eax, dword ptr fs:[00000030h] 15_2_013F8D34
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013AA537 mov eax, dword ptr fs:[00000030h] 15_2_013AA537
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354D3B mov eax, dword ptr fs:[00000030h] 15_2_01354D3B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354D3B mov eax, dword ptr fs:[00000030h] 15_2_01354D3B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01354D3B mov eax, dword ptr fs:[00000030h] 15_2_01354D3B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134C577 mov eax, dword ptr fs:[00000030h] 15_2_0134C577
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134C577 mov eax, dword ptr fs:[00000030h] 15_2_0134C577
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01347D50 mov eax, dword ptr fs:[00000030h] 15_2_01347D50
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01363D43 mov eax, dword ptr fs:[00000030h] 15_2_01363D43
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A3540 mov eax, dword ptr fs:[00000030h] 15_2_013A3540
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01351DB5 mov eax, dword ptr fs:[00000030h] 15_2_01351DB5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01351DB5 mov eax, dword ptr fs:[00000030h] 15_2_01351DB5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01351DB5 mov eax, dword ptr fs:[00000030h] 15_2_01351DB5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F05AC mov eax, dword ptr fs:[00000030h] 15_2_013F05AC
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F05AC mov eax, dword ptr fs:[00000030h] 15_2_013F05AC
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013535A1 mov eax, dword ptr fs:[00000030h] 15_2_013535A1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135FD9B mov eax, dword ptr fs:[00000030h] 15_2_0135FD9B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135FD9B mov eax, dword ptr fs:[00000030h] 15_2_0135FD9B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352581 mov eax, dword ptr fs:[00000030h] 15_2_01352581
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352581 mov eax, dword ptr fs:[00000030h] 15_2_01352581
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352581 mov eax, dword ptr fs:[00000030h] 15_2_01352581
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01352581 mov eax, dword ptr fs:[00000030h] 15_2_01352581
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01322D8A mov eax, dword ptr fs:[00000030h] 15_2_01322D8A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01322D8A mov eax, dword ptr fs:[00000030h] 15_2_01322D8A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01322D8A mov eax, dword ptr fs:[00000030h] 15_2_01322D8A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01322D8A mov eax, dword ptr fs:[00000030h] 15_2_01322D8A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01322D8A mov eax, dword ptr fs:[00000030h] 15_2_01322D8A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013D8DF1 mov eax, dword ptr fs:[00000030h] 15_2_013D8DF1
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0133D5E0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0133D5E0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 15_2_013EFDE2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 15_2_013EFDE2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 15_2_013EFDE2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 15_2_013EFDE2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov ecx, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 15_2_013A6DC9
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135BC2C mov eax, dword ptr fs:[00000030h] 15_2_0135BC2C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6C0A mov eax, dword ptr fs:[00000030h] 15_2_013A6C0A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6C0A mov eax, dword ptr fs:[00000030h] 15_2_013A6C0A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6C0A mov eax, dword ptr fs:[00000030h] 15_2_013A6C0A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6C0A mov eax, dword ptr fs:[00000030h] 15_2_013A6C0A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F740D mov eax, dword ptr fs:[00000030h] 15_2_013F740D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F740D mov eax, dword ptr fs:[00000030h] 15_2_013F740D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F740D mov eax, dword ptr fs:[00000030h] 15_2_013F740D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1C06 mov eax, dword ptr fs:[00000030h] 15_2_013E1C06
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134746D mov eax, dword ptr fs:[00000030h] 15_2_0134746D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BC450 mov eax, dword ptr fs:[00000030h] 15_2_013BC450
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BC450 mov eax, dword ptr fs:[00000030h] 15_2_013BC450
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A44B mov eax, dword ptr fs:[00000030h] 15_2_0135A44B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133849B mov eax, dword ptr fs:[00000030h] 15_2_0133849B
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E14FB mov eax, dword ptr fs:[00000030h] 15_2_013E14FB
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 15_2_013A6CF0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 15_2_013A6CF0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 15_2_013A6CF0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8CD6 mov eax, dword ptr fs:[00000030h] 15_2_013F8CD6
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135E730 mov eax, dword ptr fs:[00000030h] 15_2_0135E730
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01324F2E mov eax, dword ptr fs:[00000030h] 15_2_01324F2E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01324F2E mov eax, dword ptr fs:[00000030h] 15_2_01324F2E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134F716 mov eax, dword ptr fs:[00000030h] 15_2_0134F716
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BFF10 mov eax, dword ptr fs:[00000030h] 15_2_013BFF10
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BFF10 mov eax, dword ptr fs:[00000030h] 15_2_013BFF10
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F070D mov eax, dword ptr fs:[00000030h] 15_2_013F070D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F070D mov eax, dword ptr fs:[00000030h] 15_2_013F070D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A70E mov eax, dword ptr fs:[00000030h] 15_2_0135A70E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A70E mov eax, dword ptr fs:[00000030h] 15_2_0135A70E
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133FF60 mov eax, dword ptr fs:[00000030h] 15_2_0133FF60
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8F6A mov eax, dword ptr fs:[00000030h] 15_2_013F8F6A
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133EF40 mov eax, dword ptr fs:[00000030h] 15_2_0133EF40
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01338794 mov eax, dword ptr fs:[00000030h] 15_2_01338794
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7794 mov eax, dword ptr fs:[00000030h] 15_2_013A7794
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7794 mov eax, dword ptr fs:[00000030h] 15_2_013A7794
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A7794 mov eax, dword ptr fs:[00000030h] 15_2_013A7794
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013637F5 mov eax, dword ptr fs:[00000030h] 15_2_013637F5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013DFE3F mov eax, dword ptr fs:[00000030h] 15_2_013DFE3F
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132E620 mov eax, dword ptr fs:[00000030h] 15_2_0132E620
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A61C mov eax, dword ptr fs:[00000030h] 15_2_0135A61C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0135A61C mov eax, dword ptr fs:[00000030h] 15_2_0135A61C
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132C600 mov eax, dword ptr fs:[00000030h] 15_2_0132C600
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132C600 mov eax, dword ptr fs:[00000030h] 15_2_0132C600
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0132C600 mov eax, dword ptr fs:[00000030h] 15_2_0132C600
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01358E00 mov eax, dword ptr fs:[00000030h] 15_2_01358E00
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013E1608 mov eax, dword ptr fs:[00000030h] 15_2_013E1608
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134AE73 mov eax, dword ptr fs:[00000030h] 15_2_0134AE73
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134AE73 mov eax, dword ptr fs:[00000030h] 15_2_0134AE73
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134AE73 mov eax, dword ptr fs:[00000030h] 15_2_0134AE73
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134AE73 mov eax, dword ptr fs:[00000030h] 15_2_0134AE73
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0134AE73 mov eax, dword ptr fs:[00000030h] 15_2_0134AE73
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_0133766D mov eax, dword ptr fs:[00000030h] 15_2_0133766D
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01337E41 mov eax, dword ptr fs:[00000030h] 15_2_01337E41
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EAE44 mov eax, dword ptr fs:[00000030h] 15_2_013EAE44
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013EAE44 mov eax, dword ptr fs:[00000030h] 15_2_013EAE44
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 15_2_013F0EA5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 15_2_013F0EA5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 15_2_013F0EA5
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013A46A7 mov eax, dword ptr fs:[00000030h] 15_2_013A46A7
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013BFE87 mov eax, dword ptr fs:[00000030h] 15_2_013BFE87
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013376E2 mov eax, dword ptr fs:[00000030h] 15_2_013376E2
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013516E0 mov ecx, dword ptr fs:[00000030h] 15_2_013516E0
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013F8ED6 mov eax, dword ptr fs:[00000030h] 15_2_013F8ED6
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_01368EC7 mov eax, dword ptr fs:[00000030h] 15_2_01368EC7
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013536CC mov eax, dword ptr fs:[00000030h] 15_2_013536CC
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_013DFEC0 mov eax, dword ptr fs:[00000030h] 15_2_013DFEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF14FB mov eax, dword ptr fs:[00000030h] 18_2_04DF14FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6CF0 mov eax, dword ptr fs:[00000030h] 18_2_04DB6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6CF0 mov eax, dword ptr fs:[00000030h] 18_2_04DB6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6CF0 mov eax, dword ptr fs:[00000030h] 18_2_04DB6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E08CD6 mov eax, dword ptr fs:[00000030h] 18_2_04E08CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4849B mov eax, dword ptr fs:[00000030h] 18_2_04D4849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCC450 mov eax, dword ptr fs:[00000030h] 18_2_04DCC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCC450 mov eax, dword ptr fs:[00000030h] 18_2_04DCC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A44B mov eax, dword ptr fs:[00000030h] 18_2_04D6A44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5746D mov eax, dword ptr fs:[00000030h] 18_2_04D5746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6C0A mov eax, dword ptr fs:[00000030h] 18_2_04DB6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6C0A mov eax, dword ptr fs:[00000030h] 18_2_04DB6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6C0A mov eax, dword ptr fs:[00000030h] 18_2_04DB6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6C0A mov eax, dword ptr fs:[00000030h] 18_2_04DB6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1C06 mov eax, dword ptr fs:[00000030h] 18_2_04DF1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E0740D mov eax, dword ptr fs:[00000030h] 18_2_04E0740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E0740D mov eax, dword ptr fs:[00000030h] 18_2_04E0740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E0740D mov eax, dword ptr fs:[00000030h] 18_2_04E0740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6BC2C mov eax, dword ptr fs:[00000030h] 18_2_04D6BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov eax, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov eax, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov eax, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov ecx, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov eax, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB6DC9 mov eax, dword ptr fs:[00000030h] 18_2_04DB6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DE8DF1 mov eax, dword ptr fs:[00000030h] 18_2_04DE8DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4D5E0 mov eax, dword ptr fs:[00000030h] 18_2_04D4D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4D5E0 mov eax, dword ptr fs:[00000030h] 18_2_04D4D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFFDE2 mov eax, dword ptr fs:[00000030h] 18_2_04DFFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFFDE2 mov eax, dword ptr fs:[00000030h] 18_2_04DFFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFFDE2 mov eax, dword ptr fs:[00000030h] 18_2_04DFFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFFDE2 mov eax, dword ptr fs:[00000030h] 18_2_04DFFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E005AC mov eax, dword ptr fs:[00000030h] 18_2_04E005AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E005AC mov eax, dword ptr fs:[00000030h] 18_2_04E005AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FD9B mov eax, dword ptr fs:[00000030h] 18_2_04D6FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FD9B mov eax, dword ptr fs:[00000030h] 18_2_04D6FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62581 mov eax, dword ptr fs:[00000030h] 18_2_04D62581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62581 mov eax, dword ptr fs:[00000030h] 18_2_04D62581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62581 mov eax, dword ptr fs:[00000030h] 18_2_04D62581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62581 mov eax, dword ptr fs:[00000030h] 18_2_04D62581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D32D8A mov eax, dword ptr fs:[00000030h] 18_2_04D32D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D32D8A mov eax, dword ptr fs:[00000030h] 18_2_04D32D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D32D8A mov eax, dword ptr fs:[00000030h] 18_2_04D32D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D32D8A mov eax, dword ptr fs:[00000030h] 18_2_04D32D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D32D8A mov eax, dword ptr fs:[00000030h] 18_2_04D32D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61DB5 mov eax, dword ptr fs:[00000030h] 18_2_04D61DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61DB5 mov eax, dword ptr fs:[00000030h] 18_2_04D61DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61DB5 mov eax, dword ptr fs:[00000030h] 18_2_04D61DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D635A1 mov eax, dword ptr fs:[00000030h] 18_2_04D635A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D57D50 mov eax, dword ptr fs:[00000030h] 18_2_04D57D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D73D43 mov eax, dword ptr fs:[00000030h] 18_2_04D73D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB3540 mov eax, dword ptr fs:[00000030h] 18_2_04DB3540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5C577 mov eax, dword ptr fs:[00000030h] 18_2_04D5C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5C577 mov eax, dword ptr fs:[00000030h] 18_2_04D5C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E08D34 mov eax, dword ptr fs:[00000030h] 18_2_04E08D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D43D34 mov eax, dword ptr fs:[00000030h] 18_2_04D43D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3AD30 mov eax, dword ptr fs:[00000030h] 18_2_04D3AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFE539 mov eax, dword ptr fs:[00000030h] 18_2_04DFE539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DBA537 mov eax, dword ptr fs:[00000030h] 18_2_04DBA537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D64D3B mov eax, dword ptr fs:[00000030h] 18_2_04D64D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D64D3B mov eax, dword ptr fs:[00000030h] 18_2_04D64D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D64D3B mov eax, dword ptr fs:[00000030h] 18_2_04D64D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D78EC7 mov eax, dword ptr fs:[00000030h] 18_2_04D78EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D636CC mov eax, dword ptr fs:[00000030h] 18_2_04D636CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DEFEC0 mov eax, dword ptr fs:[00000030h] 18_2_04DEFEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E08ED6 mov eax, dword ptr fs:[00000030h] 18_2_04E08ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D616E0 mov ecx, dword ptr fs:[00000030h] 18_2_04D616E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D476E2 mov eax, dword ptr fs:[00000030h] 18_2_04D476E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E00EA5 mov eax, dword ptr fs:[00000030h] 18_2_04E00EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E00EA5 mov eax, dword ptr fs:[00000030h] 18_2_04E00EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E00EA5 mov eax, dword ptr fs:[00000030h] 18_2_04E00EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCFE87 mov eax, dword ptr fs:[00000030h] 18_2_04DCFE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB46A7 mov eax, dword ptr fs:[00000030h] 18_2_04DB46A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D47E41 mov eax, dword ptr fs:[00000030h] 18_2_04D47E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFAE44 mov eax, dword ptr fs:[00000030h] 18_2_04DFAE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFAE44 mov eax, dword ptr fs:[00000030h] 18_2_04DFAE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5AE73 mov eax, dword ptr fs:[00000030h] 18_2_04D5AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5AE73 mov eax, dword ptr fs:[00000030h] 18_2_04D5AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5AE73 mov eax, dword ptr fs:[00000030h] 18_2_04D5AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5AE73 mov eax, dword ptr fs:[00000030h] 18_2_04D5AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5AE73 mov eax, dword ptr fs:[00000030h] 18_2_04D5AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4766D mov eax, dword ptr fs:[00000030h] 18_2_04D4766D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A61C mov eax, dword ptr fs:[00000030h] 18_2_04D6A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A61C mov eax, dword ptr fs:[00000030h] 18_2_04D6A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C600 mov eax, dword ptr fs:[00000030h] 18_2_04D3C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C600 mov eax, dword ptr fs:[00000030h] 18_2_04D3C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C600 mov eax, dword ptr fs:[00000030h] 18_2_04D3C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D68E00 mov eax, dword ptr fs:[00000030h] 18_2_04D68E00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF1608 mov eax, dword ptr fs:[00000030h] 18_2_04DF1608
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DEFE3F mov eax, dword ptr fs:[00000030h] 18_2_04DEFE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3E620 mov eax, dword ptr fs:[00000030h] 18_2_04D3E620
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D737F5 mov eax, dword ptr fs:[00000030h] 18_2_04D737F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D48794 mov eax, dword ptr fs:[00000030h] 18_2_04D48794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7794 mov eax, dword ptr fs:[00000030h] 18_2_04DB7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7794 mov eax, dword ptr fs:[00000030h] 18_2_04DB7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7794 mov eax, dword ptr fs:[00000030h] 18_2_04DB7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E08F6A mov eax, dword ptr fs:[00000030h] 18_2_04E08F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4EF40 mov eax, dword ptr fs:[00000030h] 18_2_04D4EF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4FF60 mov eax, dword ptr fs:[00000030h] 18_2_04D4FF60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5F716 mov eax, dword ptr fs:[00000030h] 18_2_04D5F716
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCFF10 mov eax, dword ptr fs:[00000030h] 18_2_04DCFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCFF10 mov eax, dword ptr fs:[00000030h] 18_2_04DCFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A70E mov eax, dword ptr fs:[00000030h] 18_2_04D6A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A70E mov eax, dword ptr fs:[00000030h] 18_2_04D6A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6E730 mov eax, dword ptr fs:[00000030h] 18_2_04D6E730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E0070D mov eax, dword ptr fs:[00000030h] 18_2_04E0070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E0070D mov eax, dword ptr fs:[00000030h] 18_2_04E0070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D34F2E mov eax, dword ptr fs:[00000030h] 18_2_04D34F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D34F2E mov eax, dword ptr fs:[00000030h] 18_2_04D34F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov eax, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov ecx, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov eax, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov eax, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov eax, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DCB8D0 mov eax, dword ptr fs:[00000030h] 18_2_04DCB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D358EC mov eax, dword ptr fs:[00000030h] 18_2_04D358EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39080 mov eax, dword ptr fs:[00000030h] 18_2_04D39080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB3884 mov eax, dword ptr fs:[00000030h] 18_2_04DB3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB3884 mov eax, dword ptr fs:[00000030h] 18_2_04DB3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6F0BF mov ecx, dword ptr fs:[00000030h] 18_2_04D6F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6F0BF mov eax, dword ptr fs:[00000030h] 18_2_04D6F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6F0BF mov eax, dword ptr fs:[00000030h] 18_2_04D6F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D620A0 mov eax, dword ptr fs:[00000030h] 18_2_04D620A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D790AF mov eax, dword ptr fs:[00000030h] 18_2_04D790AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D50050 mov eax, dword ptr fs:[00000030h] 18_2_04D50050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D50050 mov eax, dword ptr fs:[00000030h] 18_2_04D50050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E01074 mov eax, dword ptr fs:[00000030h] 18_2_04E01074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DF2073 mov eax, dword ptr fs:[00000030h] 18_2_04DF2073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7016 mov eax, dword ptr fs:[00000030h] 18_2_04DB7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7016 mov eax, dword ptr fs:[00000030h] 18_2_04DB7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB7016 mov eax, dword ptr fs:[00000030h] 18_2_04DB7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E04015 mov eax, dword ptr fs:[00000030h] 18_2_04E04015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E04015 mov eax, dword ptr fs:[00000030h] 18_2_04E04015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6002D mov eax, dword ptr fs:[00000030h] 18_2_04D6002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6002D mov eax, dword ptr fs:[00000030h] 18_2_04D6002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6002D mov eax, dword ptr fs:[00000030h] 18_2_04D6002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6002D mov eax, dword ptr fs:[00000030h] 18_2_04D6002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6002D mov eax, dword ptr fs:[00000030h] 18_2_04D6002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4B02A mov eax, dword ptr fs:[00000030h] 18_2_04D4B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4B02A mov eax, dword ptr fs:[00000030h] 18_2_04D4B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4B02A mov eax, dword ptr fs:[00000030h] 18_2_04D4B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4B02A mov eax, dword ptr fs:[00000030h] 18_2_04D4B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B1E1 mov eax, dword ptr fs:[00000030h] 18_2_04D3B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B1E1 mov eax, dword ptr fs:[00000030h] 18_2_04D3B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B1E1 mov eax, dword ptr fs:[00000030h] 18_2_04D3B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DC41E8 mov eax, dword ptr fs:[00000030h] 18_2_04DC41E8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62990 mov eax, dword ptr fs:[00000030h] 18_2_04D62990
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6A185 mov eax, dword ptr fs:[00000030h] 18_2_04D6A185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5C182 mov eax, dword ptr fs:[00000030h] 18_2_04D5C182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB51BE mov eax, dword ptr fs:[00000030h] 18_2_04DB51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB51BE mov eax, dword ptr fs:[00000030h] 18_2_04DB51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB51BE mov eax, dword ptr fs:[00000030h] 18_2_04DB51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB51BE mov eax, dword ptr fs:[00000030h] 18_2_04DB51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D661A0 mov eax, dword ptr fs:[00000030h] 18_2_04D661A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D661A0 mov eax, dword ptr fs:[00000030h] 18_2_04D661A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DB69A6 mov eax, dword ptr fs:[00000030h] 18_2_04DB69A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5B944 mov eax, dword ptr fs:[00000030h] 18_2_04D5B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5B944 mov eax, dword ptr fs:[00000030h] 18_2_04D5B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B171 mov eax, dword ptr fs:[00000030h] 18_2_04D3B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B171 mov eax, dword ptr fs:[00000030h] 18_2_04D3B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C962 mov eax, dword ptr fs:[00000030h] 18_2_04D3C962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39100 mov eax, dword ptr fs:[00000030h] 18_2_04D39100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39100 mov eax, dword ptr fs:[00000030h] 18_2_04D39100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39100 mov eax, dword ptr fs:[00000030h] 18_2_04D39100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6513A mov eax, dword ptr fs:[00000030h] 18_2_04D6513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6513A mov eax, dword ptr fs:[00000030h] 18_2_04D6513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 mov eax, dword ptr fs:[00000030h] 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 mov eax, dword ptr fs:[00000030h] 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 mov eax, dword ptr fs:[00000030h] 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 mov eax, dword ptr fs:[00000030h] 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D54120 mov ecx, dword ptr fs:[00000030h] 18_2_04D54120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62ACB mov eax, dword ptr fs:[00000030h] 18_2_04D62ACB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62AE4 mov eax, dword ptr fs:[00000030h] 18_2_04D62AE4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6D294 mov eax, dword ptr fs:[00000030h] 18_2_04D6D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6D294 mov eax, dword ptr fs:[00000030h] 18_2_04D6D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4AAB0 mov eax, dword ptr fs:[00000030h] 18_2_04D4AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D4AAB0 mov eax, dword ptr fs:[00000030h] 18_2_04D4AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FAB0 mov eax, dword ptr fs:[00000030h] 18_2_04D6FAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D352A5 mov eax, dword ptr fs:[00000030h] 18_2_04D352A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D352A5 mov eax, dword ptr fs:[00000030h] 18_2_04D352A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D352A5 mov eax, dword ptr fs:[00000030h] 18_2_04D352A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D352A5 mov eax, dword ptr fs:[00000030h] 18_2_04D352A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D352A5 mov eax, dword ptr fs:[00000030h] 18_2_04D352A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04E08A62 mov eax, dword ptr fs:[00000030h] 18_2_04E08A62
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DFEA55 mov eax, dword ptr fs:[00000030h] 18_2_04DFEA55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DC4257 mov eax, dword ptr fs:[00000030h] 18_2_04DC4257
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39240 mov eax, dword ptr fs:[00000030h] 18_2_04D39240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39240 mov eax, dword ptr fs:[00000030h] 18_2_04D39240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39240 mov eax, dword ptr fs:[00000030h] 18_2_04D39240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D39240 mov eax, dword ptr fs:[00000030h] 18_2_04D39240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7927A mov eax, dword ptr fs:[00000030h] 18_2_04D7927A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DEB260 mov eax, dword ptr fs:[00000030h] 18_2_04DEB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04DEB260 mov eax, dword ptr fs:[00000030h] 18_2_04DEB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D35210 mov eax, dword ptr fs:[00000030h] 18_2_04D35210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D35210 mov ecx, dword ptr fs:[00000030h] 18_2_04D35210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D35210 mov eax, dword ptr fs:[00000030h] 18_2_04D35210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D35210 mov eax, dword ptr fs:[00000030h] 18_2_04D35210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3AA16 mov eax, dword ptr fs:[00000030h] 18_2_04D3AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3AA16 mov eax, dword ptr fs:[00000030h] 18_2_04D3AA16
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Code function: 15_2_00409B50 LdrLoadDll, 15_2_00409B50
Source: C:\Users\user\Desktop\scan-copy 202204.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.eco-friendly.one
Source: C:\Windows\explorer.exe Network Connect: 198.54.114.195 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brickstoneinvestmentltd.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\scan-copy 202204.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 13E0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\scan-copy 202204.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\scan-copy 202204.exe Memory written: C:\Users\user\Desktop\scan-copy 202204.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 10 Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Process created: C:\Users\user\Desktop\scan-copy 202204.exe C:\Users\user\Desktop\scan-copy 202204.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 10 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\scan-copy 202204.exe" Jump to behavior
Source: explorer.exe, 00000010.00000000.386410813.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.350617281.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000010.00000000.390581083.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.394754233.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.350841602.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.350841602.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.369057913.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.386834725.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.350841602.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.369057913.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.386834725.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.368703357.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.350632688.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.386457348.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000010.00000000.350841602.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.369057913.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.386834725.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Users\user\Desktop\scan-copy 202204.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan-copy 202204.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.scan-copy 202204.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.scan-copy 202204.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.350851832.000000000422E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.346977202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.417985848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418441297.0000000000E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.522775932.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.525132874.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.380882775.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.405802812.000000000EAF5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.418321488.0000000000E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.347441140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350752708.0000000004198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.523682019.0000000000FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.350609440.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 612083 Sample: scan-copy 202204.exe Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 38 www.allgamescracked.com 2->38 40 allgamescracked.com 2->40 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->62 64 7 other signatures 2->64 11 scan-copy 202204.exe 15 4 2->11         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.135.233, 443, 49742 CLOUDFLARENETUS United States 11->48 36 C:\Users\user\...\scan-copy 202204.exe.log, ASCII 11->36 dropped 68 Injects a PE file into a foreign processes 11->68 16 scan-copy 202204.exe 11->16         started        19 cmd.exe 1 11->19         started        file6 signatures7 process8 signatures9 50 Modifies the context of a thread in another process (thread injection) 16->50 52 Maps a DLL or memory area into another process 16->52 54 Sample uses process hollowing technique 16->54 56 Queues an APC in another process (thread injection) 16->56 21 explorer.exe 16->21 injected 25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        process10 dnsIp11 42 brickstoneinvestmentltd.com 198.54.114.195, 49759, 80 NAMECHEAP-NETUS United States 21->42 44 www.eco-friendly.one 21->44 46 www.brickstoneinvestmentltd.com 21->46 66 System process connects to network (likely due to code injection or exploit) 21->66 29 msdt.exe 21->29         started        signatures12 process13 signatures14 70 Self deletion via cmd delete 29->70 72 Modifies the context of a thread in another process (thread injection) 29->72 74 Maps a DLL or memory area into another process 29->74 76 Tries to detect virtualization through RDTSC time measurements 29->76 32 cmd.exe 1 29->32         started        process15 process16 34 conhost.exe 32->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.114.195
 brickstoneinvestmentltd.com United States
22612 NAMECHEAP-NETUS true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
allgamescracked.com 81.88.48.71 true
cdn.discordapp.com 162.159.135.233 true
brickstoneinvestmentltd.com 198.54.114.195 true
www.eco-friendly.one unknown unknown
www.allgamescracked.com unknown unknown
www.brickstoneinvestmentltd.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/964082530275954728/966271154442612776/Usevbg_Pzmwkikx.bmp false
    		high
    http://www.brickstoneinvestmentltd.com/s59h/?gPt=J9yIbbq2JC4kGJ28zSLAHEMUc2712/mbh0KUqSU+6gyJcm/2qQQ0g7MEmxyaj1IcJpiC&wTOHf=8pqLRLgpXn9D true
    • Avira URL Cloud: safe
    		 unknown
    www.tenacityshipping.com/s59h/ true
    • Avira URL Cloud: safe
    		 low