Windows Analysis Report 7TupDHKAwm.exe

Overview

General Information

Sample Name: 7TupDHKAwm.exe
Analysis ID: 512165
MD5: 70b00a6a05ad968af28f6b303d38f231
SHA1: e51873233e79851d7ee46d1f5553cf2b4d60098d
SHA256: be61aba2c5d56a20b50c5f4a682087840876fdf7504fbf5eb8ac56a0e572fb33
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}
Multi AV Scanner detection for submitted file
Source: 7TupDHKAwm.exe Virustotal: Detection: 18% Perma Link
Source: 7TupDHKAwm.exe ReversingLabs: Detection: 13%
Yara detected FormBook
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.7TupDHKAwm.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.7TupDHKAwm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.7TupDHKAwm.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.7TupDHKAwm.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 7TupDHKAwm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 7TupDHKAwm.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: WWAHost.pdb source: 7TupDHKAwm.exe, 00000006.00000002.743281068.0000000003530000.00000040.00020000.sdmp
Source: Binary string: WWAHost.pdbUGP source: 7TupDHKAwm.exe, 00000006.00000002.743281068.0000000003530000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 7TupDHKAwm.exe, 00000006.00000002.742147357.0000000001870000.00000040.00000001.sdmp, WWAHost.exe, 0000000B.00000003.741705800.00000000038D0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: 7TupDHKAwm.exe, 00000006.00000002.742147357.0000000001870000.00000040.00000001.sdmp, WWAHost.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 4x nop then pop esi 6_2_00417326
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 4x nop then pop edi 6_2_00417DA8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop esi 11_2_00A27326
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop edi 11_2_00A27DA8

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.amazonretoure.net
Source: C:\Windows\explorer.exe Network Connect: 46.38.243.234 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lenovoidc.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.agentpathleurre.space/s18y/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETCUP-ASnetcupGmbHDE NETCUP-ASnetcupGmbHDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /s18y/?oVJ4Hplp=C+VjjyIyz5JhIAiSdyGuho+nJXOtpZEvhjPesU35WHH5HFWifcx9eas6lvx4xbPC6vhC&TlZlo=3fdTDXLHN2n HTTP/1.1Host: www.amazonretoure.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 30 Oct 2021 07:05:50 GMTServer: Apache/2.4.10 (Debian)Content-Length: 283Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6d 61 7a 6f 6e 72 65 74 6f 75 72 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.amazonretoure.net Port 80</address></body></html>
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 7TupDHKAwm.exe, 00000000.00000002.690187917.0000000006EA0000.00000004.00020000.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: 7TupDHKAwm.exe, 00000000.00000002.685710945.0000000000B17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 7TupDHKAwm.exe, 00000000.00000002.685710945.0000000000B17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: 7TupDHKAwm.exe, 00000000.00000002.685710945.0000000000B17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comgrita
Source: 7TupDHKAwm.exe, 00000000.00000002.685710945.0000000000B17000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comicet
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 7TupDHKAwm.exe, 00000000.00000002.688304063.00000000065C2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.lenovoidc.com
Source: global traffic HTTP traffic detected: GET /s18y/?oVJ4Hplp=C+VjjyIyz5JhIAiSdyGuho+nJXOtpZEvhjPesU35WHH5HFWifcx9eas6lvx4xbPC6vhC&TlZlo=3fdTDXLHN2n HTTP/1.1Host: www.amazonretoure.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: 7TupDHKAwm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_00ABC154 0_2_00ABC154
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_00ABE588 0_2_00ABE588
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_00ABE598 0_2_00ABE598
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_071E62B8 0_2_071E62B8
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_071E0039 0_2_071E0039
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 0_2_071E0040 0_2_071E0040
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041E423 6_2_0041E423
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041E507 6_2_0041E507
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041D5A6 6_2_0041D5A6
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041E5B3 6_2_0041E5B3
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041DE46 6_2_0041DE46
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00409E60 6_2_00409E60
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041DFA2 6_2_0041DFA2
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0DBD2 11_2_03D0DBD2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D003DA 11_2_03D003DA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7EBB0 11_2_03C7EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AB40 11_2_03C6AB40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D12B28 11_2_03D12B28
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D122AE 11_2_03D122AE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFFA2B 11_2_03CFFA2B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4F900 11_2_03C4F900
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D128EC 11_2_03D128EC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5B090 11_2_03C5B090
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D120A8 11_2_03D120A8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01002 11_2_03D01002
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1E824 11_2_03D1E824
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A830 11_2_03C6A830
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1DFCE 11_2_03D1DFCE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D11FF1 11_2_03D11FF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D12EF7 11_2_03D12EF7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0D616 11_2_03D0D616
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C66E30 11_2_03C66E30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D125DD 11_2_03D125DD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5D5E0 11_2_03C5D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72581 11_2_03C72581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D11D55 11_2_03D11D55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D12D07 11_2_03D12D07
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C40D20 11_2_03C40D20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0D466 11_2_03D0D466
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5841F 11_2_03C5841F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2D5A6 11_2_00A2D5A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2E5B3 11_2_00A2E5B3
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A12D90 11_2_00A12D90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A19E60 11_2_00A19E60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2DE46 11_2_00A2DE46
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2DFA2 11_2_00A2DFA2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A12FB0 11_2_00A12FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 03C4B150 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A360 NtCreateFile, 6_2_0041A360
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A410 NtReadFile, 6_2_0041A410
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A490 NtClose, 6_2_0041A490
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A540 NtAllocateVirtualMemory, 6_2_0041A540
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A35A NtCreateFile, 6_2_0041A35A
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A40A NtReadFile, 6_2_0041A40A
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041A48A NtClose, 6_2_0041A48A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89A50 NtCreateFile,LdrInitializeThunk, 11_2_03C89A50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C899A0 NtCreateSection,LdrInitializeThunk, 11_2_03C899A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_03C89910
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89840 NtDelayExecution,LdrInitializeThunk, 11_2_03C89840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03C89860
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89FE0 NtCreateMutant,LdrInitializeThunk, 11_2_03C89FE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89780 NtMapViewOfSection,LdrInitializeThunk, 11_2_03C89780
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89710 NtQueryInformationToken,LdrInitializeThunk, 11_2_03C89710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C896D0 NtCreateKey,LdrInitializeThunk, 11_2_03C896D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C896E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_03C896E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89650 NtQueryValueKey,LdrInitializeThunk, 11_2_03C89650
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_03C89660
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C895D0 NtClose,LdrInitializeThunk, 11_2_03C895D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89540 NtReadFile,LdrInitializeThunk, 11_2_03C89540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8A3B0 NtGetContextThread, 11_2_03C8A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89B00 NtSetValueKey, 11_2_03C89B00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89A80 NtOpenDirectoryObject, 11_2_03C89A80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89A00 NtProtectVirtualMemory, 11_2_03C89A00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89A10 NtQuerySection, 11_2_03C89A10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89A20 NtResumeThread, 11_2_03C89A20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C899D0 NtCreateProcessEx, 11_2_03C899D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89950 NtQueueApcThread, 11_2_03C89950
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C898F0 NtReadVirtualMemory, 11_2_03C898F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C898A0 NtWriteVirtualMemory, 11_2_03C898A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8B040 NtSuspendThread, 11_2_03C8B040
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89820 NtEnumerateKey, 11_2_03C89820
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C897A0 NtUnmapViewOfSection, 11_2_03C897A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89760 NtOpenProcess, 11_2_03C89760
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8A770 NtOpenThread, 11_2_03C8A770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89770 NtSetInformationFile, 11_2_03C89770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8A710 NtOpenProcessToken, 11_2_03C8A710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89730 NtQueryVirtualMemory, 11_2_03C89730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89670 NtQueryInformationProcess, 11_2_03C89670
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89610 NtEnumerateValueKey, 11_2_03C89610
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C895F0 NtQueryInformationFile, 11_2_03C895F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89560 NtWriteFile, 11_2_03C89560
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C89520 NtWaitForSingleObject, 11_2_03C89520
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8AD30 NtSetContextThread, 11_2_03C8AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A360 NtCreateFile, 11_2_00A2A360
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A490 NtClose, 11_2_00A2A490
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A410 NtReadFile, 11_2_00A2A410
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A540 NtAllocateVirtualMemory, 11_2_00A2A540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A35A NtCreateFile, 11_2_00A2A35A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A48A NtClose, 11_2_00A2A48A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2A40A NtReadFile, 11_2_00A2A40A
Sample file is different than original file name gathered from version info
Source: 7TupDHKAwm.exe, 00000000.00000002.690187917.0000000006EA0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe, 00000000.00000000.656590254.000000000015A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe: vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe, 00000006.00000000.681392137.0000000000EBA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe: vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe, 00000006.00000002.743558525.00000000035E6000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe, 00000006.00000002.742718118.0000000001B1F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe Binary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe: vs 7TupDHKAwm.exe
Source: 7TupDHKAwm.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7TupDHKAwm.exe Virustotal: Detection: 18%
Source: 7TupDHKAwm.exe ReversingLabs: Detection: 13%
Source: 7TupDHKAwm.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7TupDHKAwm.exe 'C:\Users\user\Desktop\7TupDHKAwm.exe'
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process created: C:\Users\user\Desktop\7TupDHKAwm.exe C:\Users\user\Desktop\7TupDHKAwm.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\7TupDHKAwm.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process created: C:\Users\user\Desktop\7TupDHKAwm.exe C:\Users\user\Desktop\7TupDHKAwm.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\7TupDHKAwm.exe' Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7TupDHKAwm.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@2/1
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 7TupDHKAwm.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 7TupDHKAwm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 7TupDHKAwm.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: WWAHost.pdb source: 7TupDHKAwm.exe, 00000006.00000002.743281068.0000000003530000.00000040.00020000.sdmp
Source: Binary string: WWAHost.pdbUGP source: 7TupDHKAwm.exe, 00000006.00000002.743281068.0000000003530000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 7TupDHKAwm.exe, 00000006.00000002.742147357.0000000001870000.00000040.00000001.sdmp, WWAHost.exe, 0000000B.00000003.741705800.00000000038D0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: 7TupDHKAwm.exe, 00000006.00000002.742147357.0000000001870000.00000040.00000001.sdmp, WWAHost.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 7TupDHKAwm.exe, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7TupDHKAwm.exe.f0000.0.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.3.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.7TupDHKAwm.exe.e50000.1.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.0.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.5.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.9.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.2.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.1.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.7TupDHKAwm.exe.e50000.7.unpack, MainForm.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00417162 push ebp; ret 6_2_00417163
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041D56C push eax; ret 6_2_0041D572
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041D502 push eax; ret 6_2_0041D508
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041D50B push eax; ret 6_2_0041D572
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_004165E8 push es; retf 6_2_004165E9
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041CE35 push edi; ret 6_2_0041CE36
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_004176DE push ebp; iretd 6_2_004176A6
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0041768B push ebp; iretd 6_2_004176A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C9D0D1 push ecx; ret 11_2_03C9D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A27162 push ebp; ret 11_2_00A27163
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2E3EF push esp; ret 11_2_00A2E3F1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2D4B5 push eax; ret 11_2_00A2D508
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A265E8 push es; retf 11_2_00A265E9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2D502 push eax; ret 11_2_00A2D508
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2D50B push eax; ret 11_2_00A2D572
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2D56C push eax; ret 11_2_00A2D572
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2768B push ebp; iretd 11_2_00A276A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A276DE push ebp; iretd 11_2_00A276A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_00A2CE35 push edi; ret 11_2_00A2CE36
Source: initial sample Static PE information: section name: .text entropy: 7.4234449666

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEC
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\7TupDHKAwm.exe'
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\7TupDHKAwm.exe' Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.7TupDHKAwm.exe.24518b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7TupDHKAwm.exe PID: 6936, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\7TupDHKAwm.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7TupDHKAwm.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000A19904 second address: 0000000000A1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000A19B7E second address: 0000000000A19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7TupDHKAwm.exe TID: 6940 Thread sleep time: -30939s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe TID: 6972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5980 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7024 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Thread delayed: delay time: 30939 Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000008.00000000.697632502.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.722320170.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.697632502.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.690672539.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000008.00000000.705796814.0000000004791000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 00000008.00000000.697945168.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000008.00000000.711634982.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 7TupDHKAwm.exe, 00000000.00000002.685820710.0000000002401000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC53CA mov eax, dword ptr fs:[00000030h] 11_2_03CC53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC53CA mov eax, dword ptr fs:[00000030h] 11_2_03CC53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C703E2 mov eax, dword ptr fs:[00000030h] 11_2_03C703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6DBE9 mov eax, dword ptr fs:[00000030h] 11_2_03C6DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C51B8F mov eax, dword ptr fs:[00000030h] 11_2_03C51B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C51B8F mov eax, dword ptr fs:[00000030h] 11_2_03C51B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFD380 mov ecx, dword ptr fs:[00000030h] 11_2_03CFD380
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72397 mov eax, dword ptr fs:[00000030h] 11_2_03C72397
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7B390 mov eax, dword ptr fs:[00000030h] 11_2_03C7B390
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0138A mov eax, dword ptr fs:[00000030h] 11_2_03D0138A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74BAD mov eax, dword ptr fs:[00000030h] 11_2_03C74BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74BAD mov eax, dword ptr fs:[00000030h] 11_2_03C74BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74BAD mov eax, dword ptr fs:[00000030h] 11_2_03C74BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D15BA5 mov eax, dword ptr fs:[00000030h] 11_2_03D15BA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4DB40 mov eax, dword ptr fs:[00000030h] 11_2_03C4DB40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18B58 mov eax, dword ptr fs:[00000030h] 11_2_03D18B58
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4F358 mov eax, dword ptr fs:[00000030h] 11_2_03C4F358
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4DB60 mov ecx, dword ptr fs:[00000030h] 11_2_03C4DB60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C73B7A mov eax, dword ptr fs:[00000030h] 11_2_03C73B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C73B7A mov eax, dword ptr fs:[00000030h] 11_2_03C73B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0131B mov eax, dword ptr fs:[00000030h] 11_2_03D0131B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72ACB mov eax, dword ptr fs:[00000030h] 11_2_03C72ACB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72AE4 mov eax, dword ptr fs:[00000030h] 11_2_03C72AE4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7D294 mov eax, dword ptr fs:[00000030h] 11_2_03C7D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7D294 mov eax, dword ptr fs:[00000030h] 11_2_03C7D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C452A5 mov eax, dword ptr fs:[00000030h] 11_2_03C452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C452A5 mov eax, dword ptr fs:[00000030h] 11_2_03C452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C452A5 mov eax, dword ptr fs:[00000030h] 11_2_03C452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C452A5 mov eax, dword ptr fs:[00000030h] 11_2_03C452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C452A5 mov eax, dword ptr fs:[00000030h] 11_2_03C452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5AAB0 mov eax, dword ptr fs:[00000030h] 11_2_03C5AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5AAB0 mov eax, dword ptr fs:[00000030h] 11_2_03C5AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7FAB0 mov eax, dword ptr fs:[00000030h] 11_2_03C7FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49240 mov eax, dword ptr fs:[00000030h] 11_2_03C49240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49240 mov eax, dword ptr fs:[00000030h] 11_2_03C49240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49240 mov eax, dword ptr fs:[00000030h] 11_2_03C49240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49240 mov eax, dword ptr fs:[00000030h] 11_2_03C49240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0EA55 mov eax, dword ptr fs:[00000030h] 11_2_03D0EA55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CD4257 mov eax, dword ptr fs:[00000030h] 11_2_03CD4257
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFB260 mov eax, dword ptr fs:[00000030h] 11_2_03CFB260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFB260 mov eax, dword ptr fs:[00000030h] 11_2_03CFB260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C8927A mov eax, dword ptr fs:[00000030h] 11_2_03C8927A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18A62 mov eax, dword ptr fs:[00000030h] 11_2_03D18A62
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0AA16 mov eax, dword ptr fs:[00000030h] 11_2_03D0AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0AA16 mov eax, dword ptr fs:[00000030h] 11_2_03D0AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C58A0A mov eax, dword ptr fs:[00000030h] 11_2_03C58A0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4AA16 mov eax, dword ptr fs:[00000030h] 11_2_03C4AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4AA16 mov eax, dword ptr fs:[00000030h] 11_2_03C4AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C45210 mov eax, dword ptr fs:[00000030h] 11_2_03C45210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C45210 mov ecx, dword ptr fs:[00000030h] 11_2_03C45210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C45210 mov eax, dword ptr fs:[00000030h] 11_2_03C45210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C45210 mov eax, dword ptr fs:[00000030h] 11_2_03C45210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C63A1C mov eax, dword ptr fs:[00000030h] 11_2_03C63A1C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C84A2C mov eax, dword ptr fs:[00000030h] 11_2_03C84A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C84A2C mov eax, dword ptr fs:[00000030h] 11_2_03C84A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A229 mov eax, dword ptr fs:[00000030h] 11_2_03C6A229
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CD41E8 mov eax, dword ptr fs:[00000030h] 11_2_03CD41E8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4B1E1 mov eax, dword ptr fs:[00000030h] 11_2_03C4B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4B1E1 mov eax, dword ptr fs:[00000030h] 11_2_03C4B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4B1E1 mov eax, dword ptr fs:[00000030h] 11_2_03C4B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A185 mov eax, dword ptr fs:[00000030h] 11_2_03C7A185
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6C182 mov eax, dword ptr fs:[00000030h] 11_2_03C6C182
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72990 mov eax, dword ptr fs:[00000030h] 11_2_03C72990
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C761A0 mov eax, dword ptr fs:[00000030h] 11_2_03C761A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C761A0 mov eax, dword ptr fs:[00000030h] 11_2_03C761A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC69A6 mov eax, dword ptr fs:[00000030h] 11_2_03CC69A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC51BE mov eax, dword ptr fs:[00000030h] 11_2_03CC51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC51BE mov eax, dword ptr fs:[00000030h] 11_2_03CC51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC51BE mov eax, dword ptr fs:[00000030h] 11_2_03CC51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC51BE mov eax, dword ptr fs:[00000030h] 11_2_03CC51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D049A4 mov eax, dword ptr fs:[00000030h] 11_2_03D049A4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D049A4 mov eax, dword ptr fs:[00000030h] 11_2_03D049A4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D049A4 mov eax, dword ptr fs:[00000030h] 11_2_03D049A4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D049A4 mov eax, dword ptr fs:[00000030h] 11_2_03D049A4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6B944 mov eax, dword ptr fs:[00000030h] 11_2_03C6B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6B944 mov eax, dword ptr fs:[00000030h] 11_2_03C6B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4C962 mov eax, dword ptr fs:[00000030h] 11_2_03C4C962
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4B171 mov eax, dword ptr fs:[00000030h] 11_2_03C4B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4B171 mov eax, dword ptr fs:[00000030h] 11_2_03C4B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49100 mov eax, dword ptr fs:[00000030h] 11_2_03C49100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49100 mov eax, dword ptr fs:[00000030h] 11_2_03C49100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49100 mov eax, dword ptr fs:[00000030h] 11_2_03C49100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 mov eax, dword ptr fs:[00000030h] 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 mov eax, dword ptr fs:[00000030h] 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 mov eax, dword ptr fs:[00000030h] 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 mov eax, dword ptr fs:[00000030h] 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C64120 mov ecx, dword ptr fs:[00000030h] 11_2_03C64120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7513A mov eax, dword ptr fs:[00000030h] 11_2_03C7513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7513A mov eax, dword ptr fs:[00000030h] 11_2_03C7513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov eax, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov ecx, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov eax, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov eax, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov eax, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDB8D0 mov eax, dword ptr fs:[00000030h] 11_2_03CDB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C440E1 mov eax, dword ptr fs:[00000030h] 11_2_03C440E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C440E1 mov eax, dword ptr fs:[00000030h] 11_2_03C440E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C440E1 mov eax, dword ptr fs:[00000030h] 11_2_03C440E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C458EC mov eax, dword ptr fs:[00000030h] 11_2_03C458EC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C49080 mov eax, dword ptr fs:[00000030h] 11_2_03C49080
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC3884 mov eax, dword ptr fs:[00000030h] 11_2_03CC3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC3884 mov eax, dword ptr fs:[00000030h] 11_2_03CC3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C890AF mov eax, dword ptr fs:[00000030h] 11_2_03C890AF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C720A0 mov eax, dword ptr fs:[00000030h] 11_2_03C720A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7F0BF mov ecx, dword ptr fs:[00000030h] 11_2_03C7F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7F0BF mov eax, dword ptr fs:[00000030h] 11_2_03C7F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7F0BF mov eax, dword ptr fs:[00000030h] 11_2_03C7F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C60050 mov eax, dword ptr fs:[00000030h] 11_2_03C60050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C60050 mov eax, dword ptr fs:[00000030h] 11_2_03C60050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D02073 mov eax, dword ptr fs:[00000030h] 11_2_03D02073
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D11074 mov eax, dword ptr fs:[00000030h] 11_2_03D11074
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D14015 mov eax, dword ptr fs:[00000030h] 11_2_03D14015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D14015 mov eax, dword ptr fs:[00000030h] 11_2_03D14015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7016 mov eax, dword ptr fs:[00000030h] 11_2_03CC7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7016 mov eax, dword ptr fs:[00000030h] 11_2_03CC7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7016 mov eax, dword ptr fs:[00000030h] 11_2_03CC7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7002D mov eax, dword ptr fs:[00000030h] 11_2_03C7002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7002D mov eax, dword ptr fs:[00000030h] 11_2_03C7002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7002D mov eax, dword ptr fs:[00000030h] 11_2_03C7002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7002D mov eax, dword ptr fs:[00000030h] 11_2_03C7002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7002D mov eax, dword ptr fs:[00000030h] 11_2_03C7002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5B02A mov eax, dword ptr fs:[00000030h] 11_2_03C5B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5B02A mov eax, dword ptr fs:[00000030h] 11_2_03C5B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5B02A mov eax, dword ptr fs:[00000030h] 11_2_03C5B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5B02A mov eax, dword ptr fs:[00000030h] 11_2_03C5B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A830 mov eax, dword ptr fs:[00000030h] 11_2_03C6A830
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A830 mov eax, dword ptr fs:[00000030h] 11_2_03C6A830
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A830 mov eax, dword ptr fs:[00000030h] 11_2_03C6A830
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6A830 mov eax, dword ptr fs:[00000030h] 11_2_03C6A830
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C837F5 mov eax, dword ptr fs:[00000030h] 11_2_03C837F5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C58794 mov eax, dword ptr fs:[00000030h] 11_2_03C58794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7794 mov eax, dword ptr fs:[00000030h] 11_2_03CC7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7794 mov eax, dword ptr fs:[00000030h] 11_2_03CC7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC7794 mov eax, dword ptr fs:[00000030h] 11_2_03CC7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5EF40 mov eax, dword ptr fs:[00000030h] 11_2_03C5EF40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5FF60 mov eax, dword ptr fs:[00000030h] 11_2_03C5FF60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18F6A mov eax, dword ptr fs:[00000030h] 11_2_03D18F6A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A70E mov eax, dword ptr fs:[00000030h] 11_2_03C7A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A70E mov eax, dword ptr fs:[00000030h] 11_2_03C7A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6F716 mov eax, dword ptr fs:[00000030h] 11_2_03C6F716
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1070D mov eax, dword ptr fs:[00000030h] 11_2_03D1070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1070D mov eax, dword ptr fs:[00000030h] 11_2_03D1070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDFF10 mov eax, dword ptr fs:[00000030h] 11_2_03CDFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDFF10 mov eax, dword ptr fs:[00000030h] 11_2_03CDFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C44F2E mov eax, dword ptr fs:[00000030h] 11_2_03C44F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C44F2E mov eax, dword ptr fs:[00000030h] 11_2_03C44F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7E730 mov eax, dword ptr fs:[00000030h] 11_2_03C7E730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18ED6 mov eax, dword ptr fs:[00000030h] 11_2_03D18ED6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C736CC mov eax, dword ptr fs:[00000030h] 11_2_03C736CC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFFEC0 mov eax, dword ptr fs:[00000030h] 11_2_03CFFEC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C88EC7 mov eax, dword ptr fs:[00000030h] 11_2_03C88EC7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C716E0 mov ecx, dword ptr fs:[00000030h] 11_2_03C716E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C576E2 mov eax, dword ptr fs:[00000030h] 11_2_03C576E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDFE87 mov eax, dword ptr fs:[00000030h] 11_2_03CDFE87
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC46A7 mov eax, dword ptr fs:[00000030h] 11_2_03CC46A7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D10EA5 mov eax, dword ptr fs:[00000030h] 11_2_03D10EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D10EA5 mov eax, dword ptr fs:[00000030h] 11_2_03D10EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D10EA5 mov eax, dword ptr fs:[00000030h] 11_2_03D10EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C57E41 mov eax, dword ptr fs:[00000030h] 11_2_03C57E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0AE44 mov eax, dword ptr fs:[00000030h] 11_2_03D0AE44
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0AE44 mov eax, dword ptr fs:[00000030h] 11_2_03D0AE44
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5766D mov eax, dword ptr fs:[00000030h] 11_2_03C5766D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AE73 mov eax, dword ptr fs:[00000030h] 11_2_03C6AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AE73 mov eax, dword ptr fs:[00000030h] 11_2_03C6AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AE73 mov eax, dword ptr fs:[00000030h] 11_2_03C6AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AE73 mov eax, dword ptr fs:[00000030h] 11_2_03C6AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6AE73 mov eax, dword ptr fs:[00000030h] 11_2_03C6AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4C600 mov eax, dword ptr fs:[00000030h] 11_2_03C4C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4C600 mov eax, dword ptr fs:[00000030h] 11_2_03C4C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4C600 mov eax, dword ptr fs:[00000030h] 11_2_03C4C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C78E00 mov eax, dword ptr fs:[00000030h] 11_2_03C78E00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01608 mov eax, dword ptr fs:[00000030h] 11_2_03D01608
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A61C mov eax, dword ptr fs:[00000030h] 11_2_03C7A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A61C mov eax, dword ptr fs:[00000030h] 11_2_03C7A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4E620 mov eax, dword ptr fs:[00000030h] 11_2_03C4E620
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CFFE3F mov eax, dword ptr fs:[00000030h] 11_2_03CFFE3F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov eax, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov eax, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov eax, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov ecx, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov eax, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6DC9 mov eax, dword ptr fs:[00000030h] 11_2_03CC6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5D5E0 mov eax, dword ptr fs:[00000030h] 11_2_03C5D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5D5E0 mov eax, dword ptr fs:[00000030h] 11_2_03C5D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0FDE2 mov eax, dword ptr fs:[00000030h] 11_2_03D0FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0FDE2 mov eax, dword ptr fs:[00000030h] 11_2_03D0FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0FDE2 mov eax, dword ptr fs:[00000030h] 11_2_03D0FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0FDE2 mov eax, dword ptr fs:[00000030h] 11_2_03D0FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CF8DF1 mov eax, dword ptr fs:[00000030h] 11_2_03CF8DF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72581 mov eax, dword ptr fs:[00000030h] 11_2_03C72581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72581 mov eax, dword ptr fs:[00000030h] 11_2_03C72581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72581 mov eax, dword ptr fs:[00000030h] 11_2_03C72581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C72581 mov eax, dword ptr fs:[00000030h] 11_2_03C72581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C42D8A mov eax, dword ptr fs:[00000030h] 11_2_03C42D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C42D8A mov eax, dword ptr fs:[00000030h] 11_2_03C42D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C42D8A mov eax, dword ptr fs:[00000030h] 11_2_03C42D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C42D8A mov eax, dword ptr fs:[00000030h] 11_2_03C42D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C42D8A mov eax, dword ptr fs:[00000030h] 11_2_03C42D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7FD9B mov eax, dword ptr fs:[00000030h] 11_2_03C7FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7FD9B mov eax, dword ptr fs:[00000030h] 11_2_03C7FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C735A1 mov eax, dword ptr fs:[00000030h] 11_2_03C735A1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C71DB5 mov eax, dword ptr fs:[00000030h] 11_2_03C71DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C71DB5 mov eax, dword ptr fs:[00000030h] 11_2_03C71DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C71DB5 mov eax, dword ptr fs:[00000030h] 11_2_03C71DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D105AC mov eax, dword ptr fs:[00000030h] 11_2_03D105AC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D105AC mov eax, dword ptr fs:[00000030h] 11_2_03D105AC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C83D43 mov eax, dword ptr fs:[00000030h] 11_2_03C83D43
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC3540 mov eax, dword ptr fs:[00000030h] 11_2_03CC3540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CF3D40 mov eax, dword ptr fs:[00000030h] 11_2_03CF3D40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C67D50 mov eax, dword ptr fs:[00000030h] 11_2_03C67D50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6C577 mov eax, dword ptr fs:[00000030h] 11_2_03C6C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6C577 mov eax, dword ptr fs:[00000030h] 11_2_03C6C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18D34 mov eax, dword ptr fs:[00000030h] 11_2_03D18D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D0E539 mov eax, dword ptr fs:[00000030h] 11_2_03D0E539
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C53D34 mov eax, dword ptr fs:[00000030h] 11_2_03C53D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C4AD30 mov eax, dword ptr fs:[00000030h] 11_2_03C4AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CCA537 mov eax, dword ptr fs:[00000030h] 11_2_03CCA537
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74D3B mov eax, dword ptr fs:[00000030h] 11_2_03C74D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74D3B mov eax, dword ptr fs:[00000030h] 11_2_03C74D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C74D3B mov eax, dword ptr fs:[00000030h] 11_2_03C74D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D18CD6 mov eax, dword ptr fs:[00000030h] 11_2_03D18CD6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D014FB mov eax, dword ptr fs:[00000030h] 11_2_03D014FB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6CF0 mov eax, dword ptr fs:[00000030h] 11_2_03CC6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6CF0 mov eax, dword ptr fs:[00000030h] 11_2_03CC6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6CF0 mov eax, dword ptr fs:[00000030h] 11_2_03CC6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C5849B mov eax, dword ptr fs:[00000030h] 11_2_03C5849B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7A44B mov eax, dword ptr fs:[00000030h] 11_2_03C7A44B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDC450 mov eax, dword ptr fs:[00000030h] 11_2_03CDC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CDC450 mov eax, dword ptr fs:[00000030h] 11_2_03CDC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C6746D mov eax, dword ptr fs:[00000030h] 11_2_03C6746D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6C0A mov eax, dword ptr fs:[00000030h] 11_2_03CC6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6C0A mov eax, dword ptr fs:[00000030h] 11_2_03CC6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6C0A mov eax, dword ptr fs:[00000030h] 11_2_03CC6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03CC6C0A mov eax, dword ptr fs:[00000030h] 11_2_03CC6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D01C06 mov eax, dword ptr fs:[00000030h] 11_2_03D01C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1740D mov eax, dword ptr fs:[00000030h] 11_2_03D1740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1740D mov eax, dword ptr fs:[00000030h] 11_2_03D1740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03D1740D mov eax, dword ptr fs:[00000030h] 11_2_03D1740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 11_2_03C7BC2C mov eax, dword ptr fs:[00000030h] 11_2_03C7BC2C
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Code function: 6_2_0040ACF0 LdrLoadDll, 6_2_0040ACF0
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.amazonretoure.net
Source: C:\Windows\explorer.exe Network Connect: 46.38.243.234 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lenovoidc.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: BB0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Memory written: C:\Users\user\Desktop\7TupDHKAwm.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Process created: C:\Users\user\Desktop\7TupDHKAwm.exe C:\Users\user\Desktop\7TupDHKAwm.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\7TupDHKAwm.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.704144517.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000008.00000000.704585751.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000B.00000002.925402557.00000000052B0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.704585751.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000B.00000002.925402557.00000000052B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.704585751.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000B.00000002.925402557.00000000052B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.704585751.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000B.00000002.925402557.00000000052B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.697945168.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Users\user\Desktop\7TupDHKAwm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7TupDHKAwm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.7TupDHKAwm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.7TupDHKAwm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7TupDHKAwm.exe.353e9a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.742059304.0000000001830000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922711515.0000000000A10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.741623737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686015292.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.728776884.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.683641477.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.742802941.0000000001BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.713098420.000000000E4BB000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.924521754.0000000002DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.922851671.0000000000B70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.682941306.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512165 Sample: 7TupDHKAwm.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 6 other signatures 2->40 10 7TupDHKAwm.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\7TupDHKAwm.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 7TupDHKAwm.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.amazonretoure.net 46.38.243.234, 49837, 80 NETCUP-ASnetcupGmbHDE Germany 17->30 32 www.lenovoidc.com 17->32 42 System process connects to network (likely due to code injection or exploit) 17->42 21 WWAHost.exe 17->21         started        signatures10 process11 signatures12 44 Self deletion via cmd delete 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.38.243.234
 www.amazonretoure.net Germany
197540 NETCUP-ASnetcupGmbHDE true

Contacted Domains

Name IP Active
www.amazonretoure.net 46.38.243.234 true
www.lenovoidc.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.amazonretoure.net/s18y/?oVJ4Hplp=C+VjjyIyz5JhIAiSdyGuho+nJXOtpZEvhjPesU35WHH5HFWifcx9eas6lvx4xbPC6vhC&TlZlo=3fdTDXLHN2n true
  • Avira URL Cloud: safe
 unknown
www.agentpathleurre.space/s18y/ true
  • Avira URL Cloud: safe
 low