Windows Analysis Report Fu94e0b1TR

Overview

General Information

Sample Name: Fu94e0b1TR (renamed file extension from none to exe)
Analysis ID: 502374
MD5: 6429aa83e4bc083b4f0b3f44b0d7950f
SHA1: 0ead59881f054284f611accb61451ed1ffc818fc
SHA256: 96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}
Yara detected FormBook
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Fu94e0b1TR.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Fu94e0b1TR.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 4x nop then pop ebx 6_2_00406ABB
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 4x nop then pop edi 6_2_0040C37C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 4x nop then pop edi 6_2_0040C3E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 18_2_003C6ABB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 18_2_003CC37C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 18_2_003CC3E9

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.instatechnovelz.com
Source: C:\Windows\explorer.exe Network Connect: 172.65.227.72 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.apricitee.com
Source: C:\Windows\explorer.exe Domain query: www.shacksolid.com
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brondairy.com
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.fis.photos/ef6c/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NBS11696US NBS11696US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.190.62.111 64.190.62.111
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Fu94e0b1TR.exe, 00000000.00000003.252645289.00000000059A1000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Fu94e0b1TR.exe, 00000000.00000002.285145562.0000000005964000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Fu94e0b1TR.exe, 00000000.00000003.257245826.000000000599C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/%
Source: Fu94e0b1TR.exe, 00000000.00000003.257106060.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlr
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Fu94e0b1TR.exe, 00000000.00000003.259327134.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlx
Source: Fu94e0b1TR.exe, 00000000.00000003.259563222.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers5
Source: Fu94e0b1TR.exe, 00000000.00000003.259630894.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersK
Source: Fu94e0b1TR.exe, 00000000.00000003.258524788.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersP
Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersiva
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com7
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comD
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFk
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comR.TTF
Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalicu
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdito
Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comk
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtuta
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Fu94e0b1TR.exe, 00000000.00000003.252060604.000000000599A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Fu94e0b1TR.exe, 00000000.00000003.252293628.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/k
Source: Fu94e0b1TR.exe, 00000000.00000003.264392875.000000000599E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/denQ
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Fu94e0b1TR.exe, 00000000.00000003.264185208.000000000597A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormaldk
Source: Fu94e0b1TR.exe, 00000000.00000003.263989086.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//lpk
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ro
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ch
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/k
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ms
Source: Fu94e0b1TR.exe, 00000000.00000003.253358837.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/nly
Source: Fu94e0b1TR.exe, 00000000.00000003.253958296.0000000005968000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/nt
Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: Fu94e0b1TR.exe, 00000000.00000003.253827230.000000000596D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Fu94e0b1TR.exe, 00000000.00000003.252359089.0000000005999000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.coma-e
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deMT
Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmp String found in binary or memory: https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34I
Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmp String found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_land
Source: unknown DNS traffic detected: queries for: www.apricitee.com
Source: global traffic HTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Fu94e0b1TR.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_00F5D064 0_2_00F5D064
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_00F5F296 0_2_00F5F296
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_00F5F298 0_2_00F5F298
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041B9DA 6_2_0041B9DA
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041C2B0 6_2_0041C2B0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00408C70 6_2_00408C70
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041BC20 6_2_0041BC20
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00402D87 6_2_00402D87
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041C58D 6_2_0041C58D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041BE92 6_2_0041BE92
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118F900 6_2_0118F900
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01180D20 6_2_01180D20
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01251D55 6_2_01251D55
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2581 6_2_011B2581
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119D5E0 6_2_0119D5E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119841F 6_2_0119841F
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241002 6_2_01241002
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119B090 6_2_0119B090
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BEBB0 6_2_011BEBB0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A6E30 6_2_011A6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D66E30 18_2_02D66E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7EBB0 18_2_02D7EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5B090 18_2_02D5B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5841F 18_2_02D5841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01002 18_2_02E01002
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5D5E0 18_2_02D5D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E11D55 18_2_02E11D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4F900 18_2_02D4F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D40D20 18_2_02D40D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 18_2_02D64120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DB9DA 18_2_003DB9DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DC2B0 18_2_003DC2B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DBC20 18_2_003DBC20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003C8C70 18_2_003C8C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003C2D90 18_2_003C2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DC58D 18_2_003DC58D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003C2D87 18_2_003C2D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DBE92 18_2_003DBE92
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003C2FB0 18_2_003C2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02D4B150 appears 32 times
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: String function: 0118B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004185B0 NtCreateFile, 6_2_004185B0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00418660 NtReadFile, 6_2_00418660
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004186E0 NtClose, 6_2_004186E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00418790 NtAllocateVirtualMemory, 6_2_00418790
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004185AA NtCreateFile, 6_2_004185AA
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004186DA NtClose, 6_2_004186DA
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041878A NtAllocateVirtualMemory, 6_2_0041878A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_011C9910
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9540 NtReadFile,LdrInitializeThunk, 6_2_011C9540
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C99A0 NtCreateSection,LdrInitializeThunk, 6_2_011C99A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C95D0 NtClose,LdrInitializeThunk, 6_2_011C95D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9840 NtDelayExecution,LdrInitializeThunk, 6_2_011C9840
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_011C9860
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C98F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_011C98F0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_011C9710
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_011C9780
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C97A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_011C97A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_011C9FE0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_011C9A00
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9A20 NtResumeThread,LdrInitializeThunk, 6_2_011C9A20
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9A50 NtCreateFile,LdrInitializeThunk, 6_2_011C9A50
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_011C9660
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_011C96E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011CAD30 NtSetContextThread, 6_2_011CAD30
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9520 NtWaitForSingleObject, 6_2_011C9520
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9950 NtQueueApcThread, 6_2_011C9950
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9560 NtWriteFile, 6_2_011C9560
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C99D0 NtCreateProcessEx, 6_2_011C99D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C95F0 NtQueryInformationFile, 6_2_011C95F0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9820 NtEnumerateKey, 6_2_011C9820
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011CB040 NtSuspendThread, 6_2_011CB040
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C98A0 NtWriteVirtualMemory, 6_2_011C98A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011CA710 NtOpenProcessToken, 6_2_011CA710
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9B00 NtSetValueKey, 6_2_011C9B00
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9730 NtQueryVirtualMemory, 6_2_011C9730
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9770 NtSetInformationFile, 6_2_011C9770
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011CA770 NtOpenThread, 6_2_011CA770
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9760 NtOpenProcess, 6_2_011C9760
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011CA3B0 NtGetContextThread, 6_2_011CA3B0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9610 NtEnumerateValueKey, 6_2_011C9610
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9A10 NtQuerySection, 6_2_011C9A10
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9650 NtQueryValueKey, 6_2_011C9650
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9670 NtQueryInformationProcess, 6_2_011C9670
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C9A80 NtOpenDirectoryObject, 6_2_011C9A80
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C96D0 NtCreateKey, 6_2_011C96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D896D0 NtCreateKey,LdrInitializeThunk, 18_2_02D896D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_02D896E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89650 NtQueryValueKey,LdrInitializeThunk, 18_2_02D89650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89A50 NtCreateFile,LdrInitializeThunk, 18_2_02D89A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_02D89660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89FE0 NtCreateMutant,LdrInitializeThunk, 18_2_02D89FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89780 NtMapViewOfSection,LdrInitializeThunk, 18_2_02D89780
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89710 NtQueryInformationToken,LdrInitializeThunk, 18_2_02D89710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89840 NtDelayExecution,LdrInitializeThunk, 18_2_02D89840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_02D89860
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D895D0 NtClose,LdrInitializeThunk, 18_2_02D895D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D899A0 NtCreateSection,LdrInitializeThunk, 18_2_02D899A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89540 NtReadFile,LdrInitializeThunk, 18_2_02D89540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_02D89910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89A80 NtOpenDirectoryObject, 18_2_02D89A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89670 NtQueryInformationProcess, 18_2_02D89670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89610 NtEnumerateValueKey, 18_2_02D89610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89A10 NtQuerySection, 18_2_02D89A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89A00 NtProtectVirtualMemory, 18_2_02D89A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89A20 NtResumeThread, 18_2_02D89A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8A3B0 NtGetContextThread, 18_2_02D8A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D897A0 NtUnmapViewOfSection, 18_2_02D897A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89770 NtSetInformationFile, 18_2_02D89770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8A770 NtOpenThread, 18_2_02D8A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89760 NtOpenProcess, 18_2_02D89760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8A710 NtOpenProcessToken, 18_2_02D8A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89B00 NtSetValueKey, 18_2_02D89B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89730 NtQueryVirtualMemory, 18_2_02D89730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D898F0 NtReadVirtualMemory, 18_2_02D898F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D898A0 NtWriteVirtualMemory, 18_2_02D898A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8B040 NtSuspendThread, 18_2_02D8B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89820 NtEnumerateKey, 18_2_02D89820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D899D0 NtCreateProcessEx, 18_2_02D899D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D895F0 NtQueryInformationFile, 18_2_02D895F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89950 NtQueueApcThread, 18_2_02D89950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89560 NtWriteFile, 18_2_02D89560
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8AD30 NtSetContextThread, 18_2_02D8AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D89520 NtWaitForSingleObject, 18_2_02D89520
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D85B0 NtCreateFile, 18_2_003D85B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D8660 NtReadFile, 18_2_003D8660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D86E0 NtClose, 18_2_003D86E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D8790 NtAllocateVirtualMemory, 18_2_003D8790
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D85AA NtCreateFile, 18_2_003D85AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D86DA NtClose, 18_2_003D86DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D878A NtAllocateVirtualMemory, 18_2_003D878A
Sample file is different than original file name gathered from version info
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000000.00000002.287588690.00000000070D0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll< vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000005.00000002.272314311.00000000003AE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000006.00000000.272808507.000000000066E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000006.00000002.371649875.000000000127F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Fu94e0b1TR.exe
Source: Fu94e0b1TR.exe Binary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
PE file contains strange resources
Source: Fu94e0b1TR.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fu94e0b1TR.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fu94e0b1TR.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe File created: C:\Users\user\AppData\Local\Gottschalks Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/1@6/2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Fu94e0b1TR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Fu94e0b1TR.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Fu94e0b1TR.exe, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.2.Fu94e0b1TR.exe.610000.1.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.Fu94e0b1TR.exe.610000.0.unpack, MapEditor1/CreateMapDialog.cs .Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_00F5203B push ebx; retf 0_2_00F5207A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_07131CAA push 8406FDCBh; retf 0_2_07131CB1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 0_2_07133B05 push FFFFFF8Bh; iretd 0_2_07133B07
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041B85C push eax; ret 6_2_0041B862
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00407027 push ebx; ret 6_2_00407096
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00415115 push es; iretd 6_2_00415128
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00414F3A push ds; iretd 6_2_00414F3B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041B7F2 push eax; ret 6_2_0041B7F8
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041B7FB push eax; ret 6_2_0041B862
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0041B7A5 push eax; ret 6_2_0041B7F8
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011DD0D1 push ecx; ret 6_2_011DD0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D9D0D1 push ecx; ret 18_2_02D9D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003C7027 push ebx; ret 18_2_003C7096
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DB85C push eax; ret 18_2_003DB862
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D5115 push es; iretd 18_2_003D5128
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003D4F3A push ds; iretd 18_2_003D4F3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DB7A5 push eax; ret 18_2_003DB7F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DB7FB push eax; ret 18_2_003DB862
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_003DB7F2 push eax; ret 18_2_003DB7F8
Source: initial sample Static PE information: section name: .text entropy: 7.77320879492

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.2b61628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fu94e0b1TR.exe PID: 4628, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000003C8604 second address: 00000000003C860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000003C898E second address: 00000000003C8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe TID: 4632 Thread sleep time: -35139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe TID: 6040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004088C0 rdtsc 6_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread delayed: delay time: 35139 Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000007.00000000.308243918.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.294128069.000000000DC20000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ap88
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.308243918.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.299944517.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000007.00000000.308321174.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000007.00000000.357810922.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000007.00000000.308321174.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_004088C0 rdtsc 6_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258D34 mov eax, dword ptr fs:[00000030h] 6_2_01258D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0120A537 mov eax, dword ptr fs:[00000030h] 6_2_0120A537
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189100 mov eax, dword ptr fs:[00000030h] 6_2_01189100
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189100 mov eax, dword ptr fs:[00000030h] 6_2_01189100
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189100 mov eax, dword ptr fs:[00000030h] 6_2_01189100
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h] 6_2_011B4D3B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h] 6_2_011B4D3B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h] 6_2_011B4D3B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B513A mov eax, dword ptr fs:[00000030h] 6_2_011B513A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B513A mov eax, dword ptr fs:[00000030h] 6_2_011B513A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118AD30 mov eax, dword ptr fs:[00000030h] 6_2_0118AD30
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h] 6_2_01193D34
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h] 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h] 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h] 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h] 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A4120 mov ecx, dword ptr fs:[00000030h] 6_2_011A4120
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A7D50 mov eax, dword ptr fs:[00000030h] 6_2_011A7D50
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AB944 mov eax, dword ptr fs:[00000030h] 6_2_011AB944
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AB944 mov eax, dword ptr fs:[00000030h] 6_2_011AB944
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C3D43 mov eax, dword ptr fs:[00000030h] 6_2_011C3D43
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01203540 mov eax, dword ptr fs:[00000030h] 6_2_01203540
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118B171 mov eax, dword ptr fs:[00000030h] 6_2_0118B171
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118B171 mov eax, dword ptr fs:[00000030h] 6_2_0118B171
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AC577 mov eax, dword ptr fs:[00000030h] 6_2_011AC577
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AC577 mov eax, dword ptr fs:[00000030h] 6_2_011AC577
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118C962 mov eax, dword ptr fs:[00000030h] 6_2_0118C962
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BFD9B mov eax, dword ptr fs:[00000030h] 6_2_011BFD9B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BFD9B mov eax, dword ptr fs:[00000030h] 6_2_011BFD9B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012069A6 mov eax, dword ptr fs:[00000030h] 6_2_012069A6
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2990 mov eax, dword ptr fs:[00000030h] 6_2_011B2990
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h] 6_2_01182D8A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h] 6_2_01182D8A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h] 6_2_01182D8A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h] 6_2_01182D8A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h] 6_2_01182D8A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AC182 mov eax, dword ptr fs:[00000030h] 6_2_011AC182
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h] 6_2_011B2581
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h] 6_2_011B2581
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h] 6_2_011B2581
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h] 6_2_011B2581
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA185 mov eax, dword ptr fs:[00000030h] 6_2_011BA185
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012051BE mov eax, dword ptr fs:[00000030h] 6_2_012051BE
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012051BE mov eax, dword ptr fs:[00000030h] 6_2_012051BE
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012051BE mov eax, dword ptr fs:[00000030h] 6_2_012051BE
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012051BE mov eax, dword ptr fs:[00000030h] 6_2_012051BE
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h] 6_2_011B1DB5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h] 6_2_011B1DB5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h] 6_2_011B1DB5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B35A1 mov eax, dword ptr fs:[00000030h] 6_2_011B35A1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B61A0 mov eax, dword ptr fs:[00000030h] 6_2_011B61A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B61A0 mov eax, dword ptr fs:[00000030h] 6_2_011B61A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012141E8 mov eax, dword ptr fs:[00000030h] 6_2_012141E8
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01238DF1 mov eax, dword ptr fs:[00000030h] 6_2_01238DF1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov ecx, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h] 6_2_01206DC9
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0118B1E1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0118B1E1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0118B1E1
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0119D5E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0119D5E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h] 6_2_01241C06
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0125740D mov eax, dword ptr fs:[00000030h] 6_2_0125740D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0125740D mov eax, dword ptr fs:[00000030h] 6_2_0125740D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0125740D mov eax, dword ptr fs:[00000030h] 6_2_0125740D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h] 6_2_01206C0A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h] 6_2_01206C0A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h] 6_2_01206C0A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h] 6_2_01206C0A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01254015 mov eax, dword ptr fs:[00000030h] 6_2_01254015
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01254015 mov eax, dword ptr fs:[00000030h] 6_2_01254015
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h] 6_2_0119B02A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h] 6_2_0119B02A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h] 6_2_0119B02A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h] 6_2_0119B02A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207016 mov eax, dword ptr fs:[00000030h] 6_2_01207016
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207016 mov eax, dword ptr fs:[00000030h] 6_2_01207016
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207016 mov eax, dword ptr fs:[00000030h] 6_2_01207016
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B002D mov eax, dword ptr fs:[00000030h] 6_2_011B002D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B002D mov eax, dword ptr fs:[00000030h] 6_2_011B002D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B002D mov eax, dword ptr fs:[00000030h] 6_2_011B002D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B002D mov eax, dword ptr fs:[00000030h] 6_2_011B002D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B002D mov eax, dword ptr fs:[00000030h] 6_2_011B002D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BBC2C mov eax, dword ptr fs:[00000030h] 6_2_011BBC2C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A0050 mov eax, dword ptr fs:[00000030h] 6_2_011A0050
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A0050 mov eax, dword ptr fs:[00000030h] 6_2_011A0050
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA44B mov eax, dword ptr fs:[00000030h] 6_2_011BA44B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01251074 mov eax, dword ptr fs:[00000030h] 6_2_01251074
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01242073 mov eax, dword ptr fs:[00000030h] 6_2_01242073
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121C450 mov eax, dword ptr fs:[00000030h] 6_2_0121C450
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121C450 mov eax, dword ptr fs:[00000030h] 6_2_0121C450
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A746D mov eax, dword ptr fs:[00000030h] 6_2_011A746D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119849B mov eax, dword ptr fs:[00000030h] 6_2_0119849B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189080 mov eax, dword ptr fs:[00000030h] 6_2_01189080
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BF0BF mov ecx, dword ptr fs:[00000030h] 6_2_011BF0BF
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BF0BF mov eax, dword ptr fs:[00000030h] 6_2_011BF0BF
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BF0BF mov eax, dword ptr fs:[00000030h] 6_2_011BF0BF
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01203884 mov eax, dword ptr fs:[00000030h] 6_2_01203884
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01203884 mov eax, dword ptr fs:[00000030h] 6_2_01203884
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C90AF mov eax, dword ptr fs:[00000030h] 6_2_011C90AF
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h] 6_2_011B20A0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h] 6_2_01206CF0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h] 6_2_01206CF0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h] 6_2_01206CF0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012414FB mov eax, dword ptr fs:[00000030h] 6_2_012414FB
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0121B8D0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258CD6 mov eax, dword ptr fs:[00000030h] 6_2_01258CD6
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011858EC mov eax, dword ptr fs:[00000030h] 6_2_011858EC
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AF716 mov eax, dword ptr fs:[00000030h] 6_2_011AF716
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA70E mov eax, dword ptr fs:[00000030h] 6_2_011BA70E
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA70E mov eax, dword ptr fs:[00000030h] 6_2_011BA70E
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0125070D mov eax, dword ptr fs:[00000030h] 6_2_0125070D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0125070D mov eax, dword ptr fs:[00000030h] 6_2_0125070D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BE730 mov eax, dword ptr fs:[00000030h] 6_2_011BE730
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121FF10 mov eax, dword ptr fs:[00000030h] 6_2_0121FF10
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121FF10 mov eax, dword ptr fs:[00000030h] 6_2_0121FF10
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01184F2E mov eax, dword ptr fs:[00000030h] 6_2_01184F2E
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01184F2E mov eax, dword ptr fs:[00000030h] 6_2_01184F2E
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0124131B mov eax, dword ptr fs:[00000030h] 6_2_0124131B
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118F358 mov eax, dword ptr fs:[00000030h] 6_2_0118F358
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258F6A mov eax, dword ptr fs:[00000030h] 6_2_01258F6A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118DB40 mov eax, dword ptr fs:[00000030h] 6_2_0118DB40
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119EF40 mov eax, dword ptr fs:[00000030h] 6_2_0119EF40
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B3B7A mov eax, dword ptr fs:[00000030h] 6_2_011B3B7A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B3B7A mov eax, dword ptr fs:[00000030h] 6_2_011B3B7A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118DB60 mov ecx, dword ptr fs:[00000030h] 6_2_0118DB60
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119FF60 mov eax, dword ptr fs:[00000030h] 6_2_0119FF60
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258B58 mov eax, dword ptr fs:[00000030h] 6_2_01258B58
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01255BA5 mov eax, dword ptr fs:[00000030h] 6_2_01255BA5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BB390 mov eax, dword ptr fs:[00000030h] 6_2_011BB390
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2397 mov eax, dword ptr fs:[00000030h] 6_2_011B2397
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01198794 mov eax, dword ptr fs:[00000030h] 6_2_01198794
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01191B8F mov eax, dword ptr fs:[00000030h] 6_2_01191B8F
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01191B8F mov eax, dword ptr fs:[00000030h] 6_2_01191B8F
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0123D380 mov ecx, dword ptr fs:[00000030h] 6_2_0123D380
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0124138A mov eax, dword ptr fs:[00000030h] 6_2_0124138A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207794 mov eax, dword ptr fs:[00000030h] 6_2_01207794
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207794 mov eax, dword ptr fs:[00000030h] 6_2_01207794
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01207794 mov eax, dword ptr fs:[00000030h] 6_2_01207794
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h] 6_2_011B4BAD
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h] 6_2_011B4BAD
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h] 6_2_011B4BAD
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C37F5 mov eax, dword ptr fs:[00000030h] 6_2_011C37F5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012053CA mov eax, dword ptr fs:[00000030h] 6_2_012053CA
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012053CA mov eax, dword ptr fs:[00000030h] 6_2_012053CA
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h] 6_2_011B03E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011A3A1C mov eax, dword ptr fs:[00000030h] 6_2_011A3A1C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA61C mov eax, dword ptr fs:[00000030h] 6_2_011BA61C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BA61C mov eax, dword ptr fs:[00000030h] 6_2_011BA61C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01185210 mov eax, dword ptr fs:[00000030h] 6_2_01185210
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01185210 mov ecx, dword ptr fs:[00000030h] 6_2_01185210
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01185210 mov eax, dword ptr fs:[00000030h] 6_2_01185210
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01185210 mov eax, dword ptr fs:[00000030h] 6_2_01185210
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118AA16 mov eax, dword ptr fs:[00000030h] 6_2_0118AA16
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118AA16 mov eax, dword ptr fs:[00000030h] 6_2_0118AA16
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01198A0A mov eax, dword ptr fs:[00000030h] 6_2_01198A0A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h] 6_2_0118C600
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h] 6_2_0118C600
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h] 6_2_0118C600
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B8E00 mov eax, dword ptr fs:[00000030h] 6_2_011B8E00
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0123FE3F mov eax, dword ptr fs:[00000030h] 6_2_0123FE3F
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C4A2C mov eax, dword ptr fs:[00000030h] 6_2_011C4A2C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C4A2C mov eax, dword ptr fs:[00000030h] 6_2_011C4A2C
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0118E620 mov eax, dword ptr fs:[00000030h] 6_2_0118E620
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0123B260 mov eax, dword ptr fs:[00000030h] 6_2_0123B260
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0123B260 mov eax, dword ptr fs:[00000030h] 6_2_0123B260
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258A62 mov eax, dword ptr fs:[00000030h] 6_2_01258A62
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189240 mov eax, dword ptr fs:[00000030h] 6_2_01189240
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189240 mov eax, dword ptr fs:[00000030h] 6_2_01189240
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189240 mov eax, dword ptr fs:[00000030h] 6_2_01189240
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01189240 mov eax, dword ptr fs:[00000030h] 6_2_01189240
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h] 6_2_01197E41
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C927A mov eax, dword ptr fs:[00000030h] 6_2_011C927A
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h] 6_2_011AAE73
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h] 6_2_011AAE73
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h] 6_2_011AAE73
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h] 6_2_011AAE73
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h] 6_2_011AAE73
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119766D mov eax, dword ptr fs:[00000030h] 6_2_0119766D
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01214257 mov eax, dword ptr fs:[00000030h] 6_2_01214257
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h] 6_2_01250EA5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h] 6_2_01250EA5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h] 6_2_01250EA5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_012046A7 mov eax, dword ptr fs:[00000030h] 6_2_012046A7
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BD294 mov eax, dword ptr fs:[00000030h] 6_2_011BD294
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BD294 mov eax, dword ptr fs:[00000030h] 6_2_011BD294
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0121FE87 mov eax, dword ptr fs:[00000030h] 6_2_0121FE87
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0119AAB0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0119AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0119AAB0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011BFAB0 mov eax, dword ptr fs:[00000030h] 6_2_011BFAB0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h] 6_2_011852A5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h] 6_2_011852A5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h] 6_2_011852A5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h] 6_2_011852A5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h] 6_2_011852A5
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2ACB mov eax, dword ptr fs:[00000030h] 6_2_011B2ACB
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B36CC mov eax, dword ptr fs:[00000030h] 6_2_011B36CC
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011C8EC7 mov eax, dword ptr fs:[00000030h] 6_2_011C8EC7
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_0123FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0123FEC0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_01258ED6 mov eax, dword ptr fs:[00000030h] 6_2_01258ED6
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B16E0 mov ecx, dword ptr fs:[00000030h] 6_2_011B16E0
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011976E2 mov eax, dword ptr fs:[00000030h] 6_2_011976E2
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_011B2AE4 mov eax, dword ptr fs:[00000030h] 6_2_011B2AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D736CC mov eax, dword ptr fs:[00000030h] 18_2_02D736CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DFFEC0 mov eax, dword ptr fs:[00000030h] 18_2_02DFFEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D88EC7 mov eax, dword ptr fs:[00000030h] 18_2_02D88EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D716E0 mov ecx, dword ptr fs:[00000030h] 18_2_02D716E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18ED6 mov eax, dword ptr fs:[00000030h] 18_2_02E18ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D576E2 mov eax, dword ptr fs:[00000030h] 18_2_02D576E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7D294 mov eax, dword ptr fs:[00000030h] 18_2_02D7D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7D294 mov eax, dword ptr fs:[00000030h] 18_2_02D7D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h] 18_2_02E10EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h] 18_2_02E10EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h] 18_2_02E10EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDFE87 mov eax, dword ptr fs:[00000030h] 18_2_02DDFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5AAB0 mov eax, dword ptr fs:[00000030h] 18_2_02D5AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5AAB0 mov eax, dword ptr fs:[00000030h] 18_2_02D5AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7FAB0 mov eax, dword ptr fs:[00000030h] 18_2_02D7FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h] 18_2_02D452A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h] 18_2_02D452A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h] 18_2_02D452A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h] 18_2_02D452A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h] 18_2_02D452A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC46A7 mov eax, dword ptr fs:[00000030h] 18_2_02DC46A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18A62 mov eax, dword ptr fs:[00000030h] 18_2_02E18A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DD4257 mov eax, dword ptr fs:[00000030h] 18_2_02DD4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h] 18_2_02D49240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h] 18_2_02D49240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h] 18_2_02D49240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h] 18_2_02D49240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h] 18_2_02D57E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D8927A mov eax, dword ptr fs:[00000030h] 18_2_02D8927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h] 18_2_02D6AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h] 18_2_02D6AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h] 18_2_02D6AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h] 18_2_02D6AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h] 18_2_02D6AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5766D mov eax, dword ptr fs:[00000030h] 18_2_02D5766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DFB260 mov eax, dword ptr fs:[00000030h] 18_2_02DFB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DFB260 mov eax, dword ptr fs:[00000030h] 18_2_02DFB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D63A1C mov eax, dword ptr fs:[00000030h] 18_2_02D63A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A61C mov eax, dword ptr fs:[00000030h] 18_2_02D7A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A61C mov eax, dword ptr fs:[00000030h] 18_2_02D7A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h] 18_2_02D4C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h] 18_2_02D4C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h] 18_2_02D4C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D78E00 mov eax, dword ptr fs:[00000030h] 18_2_02D78E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D58A0A mov eax, dword ptr fs:[00000030h] 18_2_02D58A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DFFE3F mov eax, dword ptr fs:[00000030h] 18_2_02DFFE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4E620 mov eax, dword ptr fs:[00000030h] 18_2_02D4E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D837F5 mov eax, dword ptr fs:[00000030h] 18_2_02D837F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D58794 mov eax, dword ptr fs:[00000030h] 18_2_02D58794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E15BA5 mov eax, dword ptr fs:[00000030h] 18_2_02E15BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7B390 mov eax, dword ptr fs:[00000030h] 18_2_02D7B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h] 18_2_02DC7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h] 18_2_02DC7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h] 18_2_02DC7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D51B8F mov eax, dword ptr fs:[00000030h] 18_2_02D51B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D51B8F mov eax, dword ptr fs:[00000030h] 18_2_02D51B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DFD380 mov ecx, dword ptr fs:[00000030h] 18_2_02DFD380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E0138A mov eax, dword ptr fs:[00000030h] 18_2_02E0138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18F6A mov eax, dword ptr fs:[00000030h] 18_2_02E18F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4F358 mov eax, dword ptr fs:[00000030h] 18_2_02D4F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4DB40 mov eax, dword ptr fs:[00000030h] 18_2_02D4DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5EF40 mov eax, dword ptr fs:[00000030h] 18_2_02D5EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D73B7A mov eax, dword ptr fs:[00000030h] 18_2_02D73B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D73B7A mov eax, dword ptr fs:[00000030h] 18_2_02D73B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4DB60 mov ecx, dword ptr fs:[00000030h] 18_2_02D4DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5FF60 mov eax, dword ptr fs:[00000030h] 18_2_02D5FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18B58 mov eax, dword ptr fs:[00000030h] 18_2_02E18B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6F716 mov eax, dword ptr fs:[00000030h] 18_2_02D6F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDFF10 mov eax, dword ptr fs:[00000030h] 18_2_02DDFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDFF10 mov eax, dword ptr fs:[00000030h] 18_2_02DDFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A70E mov eax, dword ptr fs:[00000030h] 18_2_02D7A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A70E mov eax, dword ptr fs:[00000030h] 18_2_02D7A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7E730 mov eax, dword ptr fs:[00000030h] 18_2_02D7E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E1070D mov eax, dword ptr fs:[00000030h] 18_2_02E1070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E1070D mov eax, dword ptr fs:[00000030h] 18_2_02E1070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D44F2E mov eax, dword ptr fs:[00000030h] 18_2_02D44F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D44F2E mov eax, dword ptr fs:[00000030h] 18_2_02D44F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E0131B mov eax, dword ptr fs:[00000030h] 18_2_02E0131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov ecx, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h] 18_2_02DDB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E014FB mov eax, dword ptr fs:[00000030h] 18_2_02E014FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h] 18_2_02DC6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h] 18_2_02DC6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h] 18_2_02DC6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18CD6 mov eax, dword ptr fs:[00000030h] 18_2_02E18CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5849B mov eax, dword ptr fs:[00000030h] 18_2_02D5849B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49080 mov eax, dword ptr fs:[00000030h] 18_2_02D49080
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC3884 mov eax, dword ptr fs:[00000030h] 18_2_02DC3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC3884 mov eax, dword ptr fs:[00000030h] 18_2_02DC3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7F0BF mov ecx, dword ptr fs:[00000030h] 18_2_02D7F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7F0BF mov eax, dword ptr fs:[00000030h] 18_2_02D7F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7F0BF mov eax, dword ptr fs:[00000030h] 18_2_02D7F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D890AF mov eax, dword ptr fs:[00000030h] 18_2_02D890AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D60050 mov eax, dword ptr fs:[00000030h] 18_2_02D60050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D60050 mov eax, dword ptr fs:[00000030h] 18_2_02D60050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDC450 mov eax, dword ptr fs:[00000030h] 18_2_02DDC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DDC450 mov eax, dword ptr fs:[00000030h] 18_2_02DDC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E02073 mov eax, dword ptr fs:[00000030h] 18_2_02E02073
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E11074 mov eax, dword ptr fs:[00000030h] 18_2_02E11074
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A44B mov eax, dword ptr fs:[00000030h] 18_2_02D7A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6746D mov eax, dword ptr fs:[00000030h] 18_2_02D6746D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h] 18_2_02DC7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h] 18_2_02DC7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h] 18_2_02DC7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h] 18_2_02DC6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h] 18_2_02DC6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h] 18_2_02DC6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h] 18_2_02DC6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h] 18_2_02E01C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h] 18_2_02E1740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h] 18_2_02E1740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h] 18_2_02E1740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E14015 mov eax, dword ptr fs:[00000030h] 18_2_02E14015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E14015 mov eax, dword ptr fs:[00000030h] 18_2_02E14015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7BC2C mov eax, dword ptr fs:[00000030h] 18_2_02D7BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h] 18_2_02D5B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h] 18_2_02D5B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h] 18_2_02D5B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h] 18_2_02D5B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DF8DF1 mov eax, dword ptr fs:[00000030h] 18_2_02DF8DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h] 18_2_02D4B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h] 18_2_02D4B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h] 18_2_02D4B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DD41E8 mov eax, dword ptr fs:[00000030h] 18_2_02DD41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5D5E0 mov eax, dword ptr fs:[00000030h] 18_2_02D5D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D5D5E0 mov eax, dword ptr fs:[00000030h] 18_2_02D5D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7FD9B mov eax, dword ptr fs:[00000030h] 18_2_02D7FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7FD9B mov eax, dword ptr fs:[00000030h] 18_2_02D7FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7A185 mov eax, dword ptr fs:[00000030h] 18_2_02D7A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6C182 mov eax, dword ptr fs:[00000030h] 18_2_02D6C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h] 18_2_02D42D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h] 18_2_02D42D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h] 18_2_02D42D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h] 18_2_02D42D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h] 18_2_02D42D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h] 18_2_02D71DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h] 18_2_02D71DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h] 18_2_02D71DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D735A1 mov eax, dword ptr fs:[00000030h] 18_2_02D735A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D761A0 mov eax, dword ptr fs:[00000030h] 18_2_02D761A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D761A0 mov eax, dword ptr fs:[00000030h] 18_2_02D761A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D67D50 mov eax, dword ptr fs:[00000030h] 18_2_02D67D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6B944 mov eax, dword ptr fs:[00000030h] 18_2_02D6B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6B944 mov eax, dword ptr fs:[00000030h] 18_2_02D6B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D83D43 mov eax, dword ptr fs:[00000030h] 18_2_02D83D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DC3540 mov eax, dword ptr fs:[00000030h] 18_2_02DC3540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6C577 mov eax, dword ptr fs:[00000030h] 18_2_02D6C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D6C577 mov eax, dword ptr fs:[00000030h] 18_2_02D6C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4B171 mov eax, dword ptr fs:[00000030h] 18_2_02D4B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4B171 mov eax, dword ptr fs:[00000030h] 18_2_02D4B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4C962 mov eax, dword ptr fs:[00000030h] 18_2_02D4C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h] 18_2_02D49100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h] 18_2_02D49100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h] 18_2_02D49100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02E18D34 mov eax, dword ptr fs:[00000030h] 18_2_02E18D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h] 18_2_02D53D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D4AD30 mov eax, dword ptr fs:[00000030h] 18_2_02D4AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02DCA537 mov eax, dword ptr fs:[00000030h] 18_2_02DCA537
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h] 18_2_02D74D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h] 18_2_02D74D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h] 18_2_02D74D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7513A mov eax, dword ptr fs:[00000030h] 18_2_02D7513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D7513A mov eax, dword ptr fs:[00000030h] 18_2_02D7513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h] 18_2_02D64120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h] 18_2_02D64120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h] 18_2_02D64120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h] 18_2_02D64120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 18_2_02D64120 mov ecx, dword ptr fs:[00000030h] 18_2_02D64120
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Code function: 6_2_00409B30 LdrLoadDll, 6_2_00409B30
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.instatechnovelz.com
Source: C:\Windows\explorer.exe Network Connect: 172.65.227.72 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.apricitee.com
Source: C:\Windows\explorer.exe Domain query: www.shacksolid.com
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.brondairy.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: B70000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Process created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' Jump to behavior
Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000007.00000000.277343079.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Users\user\Desktop\Fu94e0b1TR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fu94e0b1TR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502374 Sample: Fu94e0b1TR Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 30 www.fis.photos 2->30 32 fis.photos 2->32 34 www.rjtherealest.com 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 11 Fu94e0b1TR.exe 6 2->11         started        signatures3 process4 signatures5 62 Tries to detect virtualization through RDTSC time measurements 11->62 14 Fu94e0b1TR.exe 11->14         started        17 Fu94e0b1TR.exe 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected process8 dnsIp9 36 www.shacksolid.com 64.190.62.111, 49795, 80 NBS11696US United States 19->36 38 fbc7888164e64afca05b80bb89630439.pacloudflare.com 172.65.227.72, 49790, 80 CLOUDFLARENETUS United States 19->38 40 4 other IPs or domains 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 52 Uses netstat to query active network connections and open ports 19->52 23 NETSTAT.EXE 19->23         started        signatures10 process11 signatures12 54 Self deletion via cmd delete 23->54 56 Modifies the context of a thread in another process (thread injection) 23->56 58 Maps a DLL or memory area into another process 23->58 60 Tries to detect virtualization through RDTSC time measurements 23->60 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.190.62.111
 www.shacksolid.com United States
11696 NBS11696US true
172.65.227.72
 fbc7888164e64afca05b80bb89630439.pacloudflare.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
fbc7888164e64afca05b80bb89630439.pacloudflare.com 172.65.227.72 true
www.rjtherealest.com 74.208.236.145 true
www.shacksolid.com 64.190.62.111 true
fis.photos 192.0.78.24 true
www.apricitee.com unknown unknown
www.fis.photos unknown unknown
www.instatechnovelz.com unknown unknown
www.brondairy.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.fis.photos/ef6c/ true
  • Avira URL Cloud: safe
 low
http://www.apricitee.com/ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC true
  • Avira URL Cloud: safe
 unknown
http://www.shacksolid.com/ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D true
  • Avira URL Cloud: safe
 unknown