Analysis Report in.exe

Overview

General Information

Sample Name: in.exe
Analysis ID: 339331
MD5: cc35be28c18578d43849919ac1025d5a
SHA1: 60bcb41d5ef76af919c769fab88f53c6a623a83b
SHA256: 0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: in.exe Avira: detected
Found malware configuration
Source: 2.2.in.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d771", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d873", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x64d4c905", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d739f", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01745", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for submitted file
Source: in.exe Virustotal: Detection: 46% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: in.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.in.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.in.exe.2b50000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: in.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: in.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\in.exe Code function: 4x nop then pop edi 2_2_0040E43D
Source: C:\Users\user\Desktop\in.exe Code function: 4x nop then pop edi 2_2_00416CAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 11_2_0043E43D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 11_2_00446CAC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
Uses netstat to query active network connections and open ports
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.242.153 199.59.242.153
Source: Joe Sandbox View IP Address: 198.185.159.144 198.185.159.144
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BODIS-NJUS BODIS-NJUS
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.seak.xyz
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.267490258.000000000686B000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: NETSTAT.EXE, 0000000B.00000002.602127128.000000000365F000.00000004.00000001.sdmp String found in binary or memory: http://www.spontaneoushomeschooler.com/
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041A060 NtClose, 2_2_0041A060
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041A110 NtAllocateVirtualMemory, 2_2_0041A110
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00419F30 NtCreateFile, 2_2_00419F30
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00419FE0 NtReadFile, 2_2_00419FE0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00419F82 NtCreateFile, 2_2_00419F82
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9540 NtReadFile,LdrInitializeThunk, 2_2_016E9540
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_016E9910
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E95D0 NtClose,LdrInitializeThunk, 2_2_016E95D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E99A0 NtCreateSection,LdrInitializeThunk, 2_2_016E99A0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_016E9860
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9840 NtDelayExecution,LdrInitializeThunk, 2_2_016E9840
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_016E98F0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_016E9710
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_016E97A0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_016E9780
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_016E9660
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9A50 NtCreateFile,LdrInitializeThunk, 2_2_016E9A50
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9A20 NtResumeThread,LdrInitializeThunk, 2_2_016E9A20
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_016E9A00
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_016E96E0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9560 NtWriteFile, 2_2_016E9560
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9950 NtQueueApcThread, 2_2_016E9950
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9520 NtWaitForSingleObject, 2_2_016E9520
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016EAD30 NtSetContextThread, 2_2_016EAD30
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E95F0 NtQueryInformationFile, 2_2_016E95F0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E99D0 NtCreateProcessEx, 2_2_016E99D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016EB040 NtSuspendThread, 2_2_016EB040
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9820 NtEnumerateKey, 2_2_016E9820
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E98A0 NtWriteVirtualMemory, 2_2_016E98A0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9760 NtOpenProcess, 2_2_016E9760
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9770 NtSetInformationFile, 2_2_016E9770
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016EA770 NtOpenThread, 2_2_016EA770
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9730 NtQueryVirtualMemory, 2_2_016E9730
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9B00 NtSetValueKey, 2_2_016E9B00
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016EA710 NtOpenProcessToken, 2_2_016EA710
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9FE0 NtCreateMutant, 2_2_016E9FE0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016EA3B0 NtGetContextThread, 2_2_016EA3B0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9670 NtQueryInformationProcess, 2_2_016E9670
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9650 NtQueryValueKey, 2_2_016E9650
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9610 NtEnumerateValueKey, 2_2_016E9610
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9A10 NtQuerySection, 2_2_016E9A10
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E96D0 NtCreateKey, 2_2_016E96D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E9A80 NtOpenDirectoryObject, 2_2_016E9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA96D0 NtCreateKey,LdrInitializeThunk, 11_2_02CA96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_02CA96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9650 NtQueryValueKey,LdrInitializeThunk, 11_2_02CA9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9A50 NtCreateFile,LdrInitializeThunk, 11_2_02CA9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_02CA9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9FE0 NtCreateMutant,LdrInitializeThunk, 11_2_02CA9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9780 NtMapViewOfSection,LdrInitializeThunk, 11_2_02CA9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9710 NtQueryInformationToken,LdrInitializeThunk, 11_2_02CA9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9840 NtDelayExecution,LdrInitializeThunk, 11_2_02CA9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_02CA9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA95D0 NtClose,LdrInitializeThunk, 11_2_02CA95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA99A0 NtCreateSection,LdrInitializeThunk, 11_2_02CA99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9540 NtReadFile,LdrInitializeThunk, 11_2_02CA9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_02CA9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9A80 NtOpenDirectoryObject, 11_2_02CA9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9670 NtQueryInformationProcess, 11_2_02CA9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9A00 NtProtectVirtualMemory, 11_2_02CA9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9610 NtEnumerateValueKey, 11_2_02CA9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9A10 NtQuerySection, 11_2_02CA9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9A20 NtResumeThread, 11_2_02CA9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA97A0 NtUnmapViewOfSection, 11_2_02CA97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CAA3B0 NtGetContextThread, 11_2_02CAA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9760 NtOpenProcess, 11_2_02CA9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9770 NtSetInformationFile, 11_2_02CA9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CAA770 NtOpenThread, 11_2_02CAA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9B00 NtSetValueKey, 11_2_02CA9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CAA710 NtOpenProcessToken, 11_2_02CAA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9730 NtQueryVirtualMemory, 11_2_02CA9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA98F0 NtReadVirtualMemory, 11_2_02CA98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA98A0 NtWriteVirtualMemory, 11_2_02CA98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CAB040 NtSuspendThread, 11_2_02CAB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9820 NtEnumerateKey, 11_2_02CA9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA99D0 NtCreateProcessEx, 11_2_02CA99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA95F0 NtQueryInformationFile, 11_2_02CA95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9950 NtQueueApcThread, 11_2_02CA9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9560 NtWriteFile, 11_2_02CA9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA9520 NtWaitForSingleObject, 11_2_02CA9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CAAD30 NtSetContextThread, 11_2_02CAAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044A060 NtClose, 11_2_0044A060
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044A110 NtAllocateVirtualMemory, 11_2_0044A110
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00449F30 NtCreateFile, 11_2_00449F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00449FE0 NtReadFile, 11_2_00449FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00449F82 NtCreateFile, 11_2_00449F82
Detected potential crypto function
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041E1F6 2_2_0041E1F6
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041EBD7 2_2_0041EBD7
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041E461 2_2_0041E461
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041EC27 2_2_0041EC27
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00409E40 2_2_00409E40
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00409E3B 2_2_00409E3B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041E7D7 2_2_0041E7D7
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041E7DA 2_2_0041E7DA
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01771D55 2_2_01771D55
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A0D20 2_2_016A0D20
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AF900 2_2_016AF900
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BD5E0 2_2_016BD5E0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761002 2_2_01761002
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B841F 2_2_016B841F
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BB090 2_2_016BB090
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DEBB0 2_2_016DEBB0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C6E30 2_2_016C6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D32EF7 11_2_02D32EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D322AE 11_2_02D322AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C86E30 11_2_02C86E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D31FF1 11_2_02D31FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9EBB0 11_2_02C9EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D32B28 11_2_02D32B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7B090 11_2_02C7B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D320A8 11_2_02D320A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21002 11_2_02D21002
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7841F 11_2_02C7841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7D5E0 11_2_02C7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92581 11_2_02C92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D31D55 11_2_02D31D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6F900 11_2_02C6F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D32D07 11_2_02D32D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C60D20 11_2_02C60D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044E1F6 11_2_0044E1F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044E461 11_2_0044E461
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00432D87 11_2_00432D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00432D90 11_2_00432D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00439E40 11_2_00439E40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00439E3B 11_2_00439E3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044E7DA 11_2_0044E7DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00432FB0 11_2_00432FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02C6B150 appears 35 times
Source: C:\Users\user\Desktop\in.exe Code function: String function: 016AB150 appears 32 times
Source: C:\Users\user\Desktop\in.exe Code function: String function: 00B47C9A appears 60 times
Sample file is different than original file name gathered from version info
Source: in.exe, 00000001.00000003.250265287.000000001ACCF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs in.exe
Source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs in.exe
Source: in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs in.exe
Uses 32bit PE files
Source: in.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/0@6/4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
Source: in.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\in.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: in.exe Virustotal: Detection: 46%
Source: C:\Users\user\Desktop\in.exe File read: C:\Users\user\Desktop\in.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
Source: unknown Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\in.exe Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: in.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: in.exe Static PE information: real checksum: 0xe27c should be: 0x40e3b
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00B47CC0 push eax; ret 1_2_00B47CEE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041D0D2 push eax; ret 2_2_0041D0D8
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041D0DB push eax; ret 2_2_0041D142
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041D085 push eax; ret 2_2_0041D0D8
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0041D13C push eax; ret 2_2_0041D142
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00417BE0 push 28F71FB6h; retf 2_2_00417BE5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00416561 push ebx; ret 2_2_00416570
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_004165A6 push ebx; ret 2_2_00416570
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00B47CC0 push eax; ret 2_2_00B47CEE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016FD0D1 push ecx; ret 2_2_016FD0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CBD0D1 push ecx; ret 11_2_02CBD0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044D0D2 push eax; ret 11_2_0044D0D8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044D0DB push eax; ret 11_2_0044D142
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044D085 push eax; ret 11_2_0044D0D8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_0044D13C push eax; ret 11_2_0044D142
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00447BE0 push 28F71FB6h; retf 11_2_00447BE5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_00446561 push ebx; ret 11_2_00446570
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_004465A6 push ebx; ret 11_2_00446570

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\in.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\in.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000004398E4 second address: 00000000004398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000000439B5E second address: 0000000000439B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4524 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4524 Thread sleep time: -112000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336 Thread sleep time: -66000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.275212385.0000000008DBD000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000002.610626366.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.267766064.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\in.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\in.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0040ACD0 LdrLoadDll, 2_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00B47790 mov eax, dword ptr fs:[00000030h] 1_2_00B47790
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00EFF471 mov eax, dword ptr fs:[00000030h] 1_2_00EFF471
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00EFF2C6 mov eax, dword ptr fs:[00000030h] 1_2_00EFF2C6
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00EFF329 mov eax, dword ptr fs:[00000030h] 1_2_00EFF329
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00EFF289 mov eax, dword ptr fs:[00000030h] 1_2_00EFF289
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00EFEA1A mov eax, dword ptr fs:[00000030h] 1_2_00EFEA1A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_00B47790 mov eax, dword ptr fs:[00000030h] 2_2_00B47790
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AC962 mov eax, dword ptr fs:[00000030h] 2_2_016AC962
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h] 2_2_016AB171
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h] 2_2_016AB171
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h] 2_2_016CC577
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h] 2_2_016CC577
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h] 2_2_016CB944
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h] 2_2_016CB944
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E3D43 mov eax, dword ptr fs:[00000030h] 2_2_016E3D43
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01723540 mov eax, dword ptr fs:[00000030h] 2_2_01723540
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C7D50 mov eax, dword ptr fs:[00000030h] 2_2_016C7D50
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778D34 mov eax, dword ptr fs:[00000030h] 2_2_01778D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0172A537 mov eax, dword ptr fs:[00000030h] 2_2_0172A537
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h] 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h] 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h] 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h] 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C4120 mov ecx, dword ptr fs:[00000030h] 2_2_016C4120
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h] 2_2_016D4D3B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h] 2_2_016D4D3B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h] 2_2_016D4D3B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D513A mov eax, dword ptr fs:[00000030h] 2_2_016D513A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D513A mov eax, dword ptr fs:[00000030h] 2_2_016D513A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AAD30 mov eax, dword ptr fs:[00000030h] 2_2_016AAD30
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h] 2_2_016B3D34
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h] 2_2_016A9100
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h] 2_2_016A9100
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h] 2_2_016A9100
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01758DF1 mov eax, dword ptr fs:[00000030h] 2_2_01758DF1
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_016AB1E1
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_016AB1E1
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_016AB1E1
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_016BD5E0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_016BD5E0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017341E8 mov eax, dword ptr fs:[00000030h] 2_2_017341E8
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D35A1 mov eax, dword ptr fs:[00000030h] 2_2_016D35A1
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017251BE mov eax, dword ptr fs:[00000030h] 2_2_017251BE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017251BE mov eax, dword ptr fs:[00000030h] 2_2_017251BE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017251BE mov eax, dword ptr fs:[00000030h] 2_2_017251BE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017251BE mov eax, dword ptr fs:[00000030h] 2_2_017251BE
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D61A0 mov eax, dword ptr fs:[00000030h] 2_2_016D61A0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D61A0 mov eax, dword ptr fs:[00000030h] 2_2_016D61A0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017269A6 mov eax, dword ptr fs:[00000030h] 2_2_017269A6
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_016D1DB5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_016D1DB5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_016D1DB5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h] 2_2_016A2D8A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h] 2_2_016A2D8A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h] 2_2_016A2D8A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h] 2_2_016A2D8A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h] 2_2_016A2D8A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA185 mov eax, dword ptr fs:[00000030h] 2_2_016DA185
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CC182 mov eax, dword ptr fs:[00000030h] 2_2_016CC182
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DFD9B mov eax, dword ptr fs:[00000030h] 2_2_016DFD9B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DFD9B mov eax, dword ptr fs:[00000030h] 2_2_016DFD9B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D2990 mov eax, dword ptr fs:[00000030h] 2_2_016D2990
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C746D mov eax, dword ptr fs:[00000030h] 2_2_016C746D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01771074 mov eax, dword ptr fs:[00000030h] 2_2_01771074
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01762073 mov eax, dword ptr fs:[00000030h] 2_2_01762073
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173C450 mov eax, dword ptr fs:[00000030h] 2_2_0173C450
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173C450 mov eax, dword ptr fs:[00000030h] 2_2_0173C450
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA44B mov eax, dword ptr fs:[00000030h] 2_2_016DA44B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C0050 mov eax, dword ptr fs:[00000030h] 2_2_016C0050
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C0050 mov eax, dword ptr fs:[00000030h] 2_2_016C0050
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D002D mov eax, dword ptr fs:[00000030h] 2_2_016D002D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D002D mov eax, dword ptr fs:[00000030h] 2_2_016D002D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D002D mov eax, dword ptr fs:[00000030h] 2_2_016D002D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D002D mov eax, dword ptr fs:[00000030h] 2_2_016D002D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D002D mov eax, dword ptr fs:[00000030h] 2_2_016D002D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h] 2_2_016BB02A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h] 2_2_016BB02A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h] 2_2_016BB02A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h] 2_2_016BB02A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DBC2C mov eax, dword ptr fs:[00000030h] 2_2_016DBC2C
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01774015 mov eax, dword ptr fs:[00000030h] 2_2_01774015
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01774015 mov eax, dword ptr fs:[00000030h] 2_2_01774015
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727016 mov eax, dword ptr fs:[00000030h] 2_2_01727016
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727016 mov eax, dword ptr fs:[00000030h] 2_2_01727016
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727016 mov eax, dword ptr fs:[00000030h] 2_2_01727016
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h] 2_2_01761C06
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h] 2_2_01726C0A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h] 2_2_01726C0A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h] 2_2_01726C0A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h] 2_2_01726C0A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0177740D mov eax, dword ptr fs:[00000030h] 2_2_0177740D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0177740D mov eax, dword ptr fs:[00000030h] 2_2_0177740D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0177740D mov eax, dword ptr fs:[00000030h] 2_2_0177740D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h] 2_2_01726CF0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h] 2_2_01726CF0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h] 2_2_01726CF0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017614FB mov eax, dword ptr fs:[00000030h] 2_2_017614FB
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778CD6 mov eax, dword ptr fs:[00000030h] 2_2_01778CD6
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0173B8D0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E90AF mov eax, dword ptr fs:[00000030h] 2_2_016E90AF
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DF0BF mov ecx, dword ptr fs:[00000030h] 2_2_016DF0BF
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DF0BF mov eax, dword ptr fs:[00000030h] 2_2_016DF0BF
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DF0BF mov eax, dword ptr fs:[00000030h] 2_2_016DF0BF
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9080 mov eax, dword ptr fs:[00000030h] 2_2_016A9080
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B849B mov eax, dword ptr fs:[00000030h] 2_2_016B849B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01723884 mov eax, dword ptr fs:[00000030h] 2_2_01723884
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01723884 mov eax, dword ptr fs:[00000030h] 2_2_01723884
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016ADB60 mov ecx, dword ptr fs:[00000030h] 2_2_016ADB60
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BFF60 mov eax, dword ptr fs:[00000030h] 2_2_016BFF60
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D3B7A mov eax, dword ptr fs:[00000030h] 2_2_016D3B7A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D3B7A mov eax, dword ptr fs:[00000030h] 2_2_016D3B7A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778F6A mov eax, dword ptr fs:[00000030h] 2_2_01778F6A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016ADB40 mov eax, dword ptr fs:[00000030h] 2_2_016ADB40
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BEF40 mov eax, dword ptr fs:[00000030h] 2_2_016BEF40
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778B58 mov eax, dword ptr fs:[00000030h] 2_2_01778B58
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AF358 mov eax, dword ptr fs:[00000030h] 2_2_016AF358
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A4F2E mov eax, dword ptr fs:[00000030h] 2_2_016A4F2E
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A4F2E mov eax, dword ptr fs:[00000030h] 2_2_016A4F2E
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DE730 mov eax, dword ptr fs:[00000030h] 2_2_016DE730
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173FF10 mov eax, dword ptr fs:[00000030h] 2_2_0173FF10
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173FF10 mov eax, dword ptr fs:[00000030h] 2_2_0173FF10
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA70E mov eax, dword ptr fs:[00000030h] 2_2_016DA70E
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA70E mov eax, dword ptr fs:[00000030h] 2_2_016DA70E
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0176131B mov eax, dword ptr fs:[00000030h] 2_2_0176131B
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0177070D mov eax, dword ptr fs:[00000030h] 2_2_0177070D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0177070D mov eax, dword ptr fs:[00000030h] 2_2_0177070D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CF716 mov eax, dword ptr fs:[00000030h] 2_2_016CF716
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h] 2_2_016D03E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E37F5 mov eax, dword ptr fs:[00000030h] 2_2_016E37F5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017253CA mov eax, dword ptr fs:[00000030h] 2_2_017253CA
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017253CA mov eax, dword ptr fs:[00000030h] 2_2_017253CA
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01775BA5 mov eax, dword ptr fs:[00000030h] 2_2_01775BA5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B1B8F mov eax, dword ptr fs:[00000030h] 2_2_016B1B8F
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B1B8F mov eax, dword ptr fs:[00000030h] 2_2_016B1B8F
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727794 mov eax, dword ptr fs:[00000030h] 2_2_01727794
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727794 mov eax, dword ptr fs:[00000030h] 2_2_01727794
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01727794 mov eax, dword ptr fs:[00000030h] 2_2_01727794
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0175D380 mov ecx, dword ptr fs:[00000030h] 2_2_0175D380
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0176138A mov eax, dword ptr fs:[00000030h] 2_2_0176138A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DB390 mov eax, dword ptr fs:[00000030h] 2_2_016DB390
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B8794 mov eax, dword ptr fs:[00000030h] 2_2_016B8794
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B766D mov eax, dword ptr fs:[00000030h] 2_2_016B766D
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E927A mov eax, dword ptr fs:[00000030h] 2_2_016E927A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0175B260 mov eax, dword ptr fs:[00000030h] 2_2_0175B260
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0175B260 mov eax, dword ptr fs:[00000030h] 2_2_0175B260
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778A62 mov eax, dword ptr fs:[00000030h] 2_2_01778A62
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h] 2_2_016CAE73
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h] 2_2_016CAE73
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h] 2_2_016CAE73
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h] 2_2_016CAE73
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h] 2_2_016CAE73
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01734257 mov eax, dword ptr fs:[00000030h] 2_2_01734257
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h] 2_2_016A9240
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h] 2_2_016A9240
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h] 2_2_016A9240
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h] 2_2_016A9240
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h] 2_2_016B7E41
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0175FE3F mov eax, dword ptr fs:[00000030h] 2_2_0175FE3F
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AE620 mov eax, dword ptr fs:[00000030h] 2_2_016AE620
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B8A0A mov eax, dword ptr fs:[00000030h] 2_2_016B8A0A
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h] 2_2_016AC600
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h] 2_2_016AC600
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h] 2_2_016AC600
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D8E00 mov eax, dword ptr fs:[00000030h] 2_2_016D8E00
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016C3A1C mov eax, dword ptr fs:[00000030h] 2_2_016C3A1C
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA61C mov eax, dword ptr fs:[00000030h] 2_2_016DA61C
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DA61C mov eax, dword ptr fs:[00000030h] 2_2_016DA61C
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AAA16 mov eax, dword ptr fs:[00000030h] 2_2_016AAA16
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016AAA16 mov eax, dword ptr fs:[00000030h] 2_2_016AAA16
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016B76E2 mov eax, dword ptr fs:[00000030h] 2_2_016B76E2
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D2AE4 mov eax, dword ptr fs:[00000030h] 2_2_016D2AE4
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D16E0 mov ecx, dword ptr fs:[00000030h] 2_2_016D16E0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01778ED6 mov eax, dword ptr fs:[00000030h] 2_2_01778ED6
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D36CC mov eax, dword ptr fs:[00000030h] 2_2_016D36CC
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016D2ACB mov eax, dword ptr fs:[00000030h] 2_2_016D2ACB
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016E8EC7 mov eax, dword ptr fs:[00000030h] 2_2_016E8EC7
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0175FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0175FEC0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h] 2_2_016A52A5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h] 2_2_016A52A5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h] 2_2_016A52A5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h] 2_2_016A52A5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h] 2_2_016A52A5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h] 2_2_01770EA5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h] 2_2_01770EA5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h] 2_2_01770EA5
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_017246A7 mov eax, dword ptr fs:[00000030h] 2_2_017246A7
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_016BAAB0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_016BAAB0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DFAB0 mov eax, dword ptr fs:[00000030h] 2_2_016DFAB0
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_0173FE87 mov eax, dword ptr fs:[00000030h] 2_2_0173FE87
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DD294 mov eax, dword ptr fs:[00000030h] 2_2_016DD294
Source: C:\Users\user\Desktop\in.exe Code function: 2_2_016DD294 mov eax, dword ptr fs:[00000030h] 2_2_016DD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92ACB mov eax, dword ptr fs:[00000030h] 11_2_02C92ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38ED6 mov eax, dword ptr fs:[00000030h] 11_2_02D38ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C936CC mov eax, dword ptr fs:[00000030h] 11_2_02C936CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA8EC7 mov eax, dword ptr fs:[00000030h] 11_2_02CA8EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D1FEC0 mov eax, dword ptr fs:[00000030h] 11_2_02D1FEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C776E2 mov eax, dword ptr fs:[00000030h] 11_2_02C776E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C916E0 mov ecx, dword ptr fs:[00000030h] 11_2_02C916E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92AE4 mov eax, dword ptr fs:[00000030h] 11_2_02C92AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFFE87 mov eax, dword ptr fs:[00000030h] 11_2_02CFFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9D294 mov eax, dword ptr fs:[00000030h] 11_2_02C9D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9D294 mov eax, dword ptr fs:[00000030h] 11_2_02C9D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h] 11_2_02C652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h] 11_2_02C652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h] 11_2_02C652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h] 11_2_02C652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h] 11_2_02C652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE46A7 mov eax, dword ptr fs:[00000030h] 11_2_02CE46A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h] 11_2_02D30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h] 11_2_02D30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h] 11_2_02D30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7AAB0 mov eax, dword ptr fs:[00000030h] 11_2_02C7AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7AAB0 mov eax, dword ptr fs:[00000030h] 11_2_02C7AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9FAB0 mov eax, dword ptr fs:[00000030h] 11_2_02C9FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h] 11_2_02C69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h] 11_2_02C69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h] 11_2_02C69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h] 11_2_02C69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h] 11_2_02C77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CF4257 mov eax, dword ptr fs:[00000030h] 11_2_02CF4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7766D mov eax, dword ptr fs:[00000030h] 11_2_02C7766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA927A mov eax, dword ptr fs:[00000030h] 11_2_02CA927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D1B260 mov eax, dword ptr fs:[00000030h] 11_2_02D1B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D1B260 mov eax, dword ptr fs:[00000030h] 11_2_02D1B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38A62 mov eax, dword ptr fs:[00000030h] 11_2_02D38A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h] 11_2_02C8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h] 11_2_02C8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h] 11_2_02C8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h] 11_2_02C8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h] 11_2_02C8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h] 11_2_02C6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h] 11_2_02C6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h] 11_2_02C6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C98E00 mov eax, dword ptr fs:[00000030h] 11_2_02C98E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C78A0A mov eax, dword ptr fs:[00000030h] 11_2_02C78A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6AA16 mov eax, dword ptr fs:[00000030h] 11_2_02C6AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6AA16 mov eax, dword ptr fs:[00000030h] 11_2_02C6AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C83A1C mov eax, dword ptr fs:[00000030h] 11_2_02C83A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A61C mov eax, dword ptr fs:[00000030h] 11_2_02C9A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A61C mov eax, dword ptr fs:[00000030h] 11_2_02C9A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h] 11_2_02C65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C65210 mov ecx, dword ptr fs:[00000030h] 11_2_02C65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h] 11_2_02C65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h] 11_2_02C65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21608 mov eax, dword ptr fs:[00000030h] 11_2_02D21608
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6E620 mov eax, dword ptr fs:[00000030h] 11_2_02C6E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA4A2C mov eax, dword ptr fs:[00000030h] 11_2_02CA4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA4A2C mov eax, dword ptr fs:[00000030h] 11_2_02CA4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D1FE3F mov eax, dword ptr fs:[00000030h] 11_2_02D1FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE53CA mov eax, dword ptr fs:[00000030h] 11_2_02CE53CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE53CA mov eax, dword ptr fs:[00000030h] 11_2_02CE53CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8DBE9 mov eax, dword ptr fs:[00000030h] 11_2_02C8DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h] 11_2_02C903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA37F5 mov eax, dword ptr fs:[00000030h] 11_2_02CA37F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C71B8F mov eax, dword ptr fs:[00000030h] 11_2_02C71B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C71B8F mov eax, dword ptr fs:[00000030h] 11_2_02C71B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D1D380 mov ecx, dword ptr fs:[00000030h] 11_2_02D1D380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C78794 mov eax, dword ptr fs:[00000030h] 11_2_02C78794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D2138A mov eax, dword ptr fs:[00000030h] 11_2_02D2138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9B390 mov eax, dword ptr fs:[00000030h] 11_2_02C9B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h] 11_2_02CE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h] 11_2_02CE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h] 11_2_02CE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92397 mov eax, dword ptr fs:[00000030h] 11_2_02C92397
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h] 11_2_02C94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h] 11_2_02C94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h] 11_2_02C94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D35BA5 mov eax, dword ptr fs:[00000030h] 11_2_02D35BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6DB40 mov eax, dword ptr fs:[00000030h] 11_2_02C6DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7EF40 mov eax, dword ptr fs:[00000030h] 11_2_02C7EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38B58 mov eax, dword ptr fs:[00000030h] 11_2_02D38B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6F358 mov eax, dword ptr fs:[00000030h] 11_2_02C6F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6DB60 mov ecx, dword ptr fs:[00000030h] 11_2_02C6DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7FF60 mov eax, dword ptr fs:[00000030h] 11_2_02C7FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C93B7A mov eax, dword ptr fs:[00000030h] 11_2_02C93B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C93B7A mov eax, dword ptr fs:[00000030h] 11_2_02C93B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38F6A mov eax, dword ptr fs:[00000030h] 11_2_02D38F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A70E mov eax, dword ptr fs:[00000030h] 11_2_02C9A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A70E mov eax, dword ptr fs:[00000030h] 11_2_02C9A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D2131B mov eax, dword ptr fs:[00000030h] 11_2_02D2131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D3070D mov eax, dword ptr fs:[00000030h] 11_2_02D3070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D3070D mov eax, dword ptr fs:[00000030h] 11_2_02D3070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8F716 mov eax, dword ptr fs:[00000030h] 11_2_02C8F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFFF10 mov eax, dword ptr fs:[00000030h] 11_2_02CFFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFFF10 mov eax, dword ptr fs:[00000030h] 11_2_02CFFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C64F2E mov eax, dword ptr fs:[00000030h] 11_2_02C64F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C64F2E mov eax, dword ptr fs:[00000030h] 11_2_02C64F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9E730 mov eax, dword ptr fs:[00000030h] 11_2_02C9E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38CD6 mov eax, dword ptr fs:[00000030h] 11_2_02D38CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov ecx, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h] 11_2_02CFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D214FB mov eax, dword ptr fs:[00000030h] 11_2_02D214FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C658EC mov eax, dword ptr fs:[00000030h] 11_2_02C658EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_02CE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_02CE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_02CE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69080 mov eax, dword ptr fs:[00000030h] 11_2_02C69080
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE3884 mov eax, dword ptr fs:[00000030h] 11_2_02CE3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE3884 mov eax, dword ptr fs:[00000030h] 11_2_02CE3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7849B mov eax, dword ptr fs:[00000030h] 11_2_02C7849B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA90AF mov eax, dword ptr fs:[00000030h] 11_2_02CA90AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h] 11_2_02C920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9F0BF mov ecx, dword ptr fs:[00000030h] 11_2_02C9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9F0BF mov eax, dword ptr fs:[00000030h] 11_2_02C9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9F0BF mov eax, dword ptr fs:[00000030h] 11_2_02C9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A44B mov eax, dword ptr fs:[00000030h] 11_2_02C9A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C80050 mov eax, dword ptr fs:[00000030h] 11_2_02C80050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C80050 mov eax, dword ptr fs:[00000030h] 11_2_02C80050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFC450 mov eax, dword ptr fs:[00000030h] 11_2_02CFC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CFC450 mov eax, dword ptr fs:[00000030h] 11_2_02CFC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D22073 mov eax, dword ptr fs:[00000030h] 11_2_02D22073
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8746D mov eax, dword ptr fs:[00000030h] 11_2_02C8746D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D31074 mov eax, dword ptr fs:[00000030h] 11_2_02D31074
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h] 11_2_02CE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h] 11_2_02CE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h] 11_2_02CE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h] 11_2_02CE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D34015 mov eax, dword ptr fs:[00000030h] 11_2_02D34015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D34015 mov eax, dword ptr fs:[00000030h] 11_2_02D34015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h] 11_2_02D21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h] 11_2_02CE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h] 11_2_02CE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h] 11_2_02CE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h] 11_2_02D3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h] 11_2_02D3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h] 11_2_02D3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h] 11_2_02C9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h] 11_2_02C9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h] 11_2_02C9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h] 11_2_02C9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h] 11_2_02C9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9BC2C mov eax, dword ptr fs:[00000030h] 11_2_02C9BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h] 11_2_02C7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h] 11_2_02C7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h] 11_2_02C7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h] 11_2_02C7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov ecx, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h] 11_2_02CE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D18DF1 mov eax, dword ptr fs:[00000030h] 11_2_02D18DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h] 11_2_02C6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h] 11_2_02C6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h] 11_2_02C6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CF41E8 mov eax, dword ptr fs:[00000030h] 11_2_02CF41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7D5E0 mov eax, dword ptr fs:[00000030h] 11_2_02C7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C7D5E0 mov eax, dword ptr fs:[00000030h] 11_2_02C7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h] 11_2_02C92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h] 11_2_02C92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h] 11_2_02C92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h] 11_2_02C92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8C182 mov eax, dword ptr fs:[00000030h] 11_2_02C8C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9A185 mov eax, dword ptr fs:[00000030h] 11_2_02C9A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h] 11_2_02C62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h] 11_2_02C62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h] 11_2_02C62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h] 11_2_02C62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h] 11_2_02C62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9FD9B mov eax, dword ptr fs:[00000030h] 11_2_02C9FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9FD9B mov eax, dword ptr fs:[00000030h] 11_2_02C9FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C92990 mov eax, dword ptr fs:[00000030h] 11_2_02C92990
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C935A1 mov eax, dword ptr fs:[00000030h] 11_2_02C935A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE69A6 mov eax, dword ptr fs:[00000030h] 11_2_02CE69A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C961A0 mov eax, dword ptr fs:[00000030h] 11_2_02C961A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C961A0 mov eax, dword ptr fs:[00000030h] 11_2_02C961A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h] 11_2_02CE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h] 11_2_02CE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h] 11_2_02CE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h] 11_2_02CE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h] 11_2_02C91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h] 11_2_02C91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h] 11_2_02C91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D305AC mov eax, dword ptr fs:[00000030h] 11_2_02D305AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D305AC mov eax, dword ptr fs:[00000030h] 11_2_02D305AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CA3D43 mov eax, dword ptr fs:[00000030h] 11_2_02CA3D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8B944 mov eax, dword ptr fs:[00000030h] 11_2_02C8B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8B944 mov eax, dword ptr fs:[00000030h] 11_2_02C8B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CE3540 mov eax, dword ptr fs:[00000030h] 11_2_02CE3540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C87D50 mov eax, dword ptr fs:[00000030h] 11_2_02C87D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6C962 mov eax, dword ptr fs:[00000030h] 11_2_02C6C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6B171 mov eax, dword ptr fs:[00000030h] 11_2_02C6B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6B171 mov eax, dword ptr fs:[00000030h] 11_2_02C6B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8C577 mov eax, dword ptr fs:[00000030h] 11_2_02C8C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C8C577 mov eax, dword ptr fs:[00000030h] 11_2_02C8C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h] 11_2_02C69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h] 11_2_02C69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h] 11_2_02C69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02D38D34 mov eax, dword ptr fs:[00000030h] 11_2_02D38D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h] 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h] 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h] 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h] 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C84120 mov ecx, dword ptr fs:[00000030h] 11_2_02C84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h] 11_2_02C94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h] 11_2_02C94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h] 11_2_02C94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9513A mov eax, dword ptr fs:[00000030h] 11_2_02C9513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C9513A mov eax, dword ptr fs:[00000030h] 11_2_02C9513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h] 11_2_02C73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02C6AD30 mov eax, dword ptr fs:[00000030h] 11_2_02C6AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 11_2_02CEA537 mov eax, dword ptr fs:[00000030h] 11_2_02CEA537
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\in.exe Code function: 1_2_00B47910 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc, 1_2_00B47910
Enables debug privileges
Source: C:\Users\user\Desktop\in.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 199.59.242.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.185.159.144 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\in.exe Section loaded: unknown target: C:\Users\user\Desktop\in.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\in.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\in.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\in.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\in.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\in.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\in.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\in.exe Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.599512509.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339331 Sample: in.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 34 www.spontaneoushomeschooler.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 11 in.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 in.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 198.54.117.216, 49753, 80 NAMECHEAP-NETUS United States 17->28 30 www.demenageseul.com 199.59.242.153, 49751, 80 BODIS-NJUS United States 17->30 32 6 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.59.242.153
 unknown United States
395082 BODIS-NJUS true
198.185.159.144
 unknown United States
53831 SQUARESPACEUS false
198.54.117.212
 unknown United States
22612 NAMECHEAP-NETUS false
198.54.117.216
 unknown United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
www.spontaneoushomeschooler.com 94.23.162.163 true
parkingpage.namecheap.com 198.54.117.212 true
www.demenageseul.com 199.59.242.153 true
ext-sq.squarespace.com 198.185.159.144 true
www.cptdesignstudio.com unknown unknown
www.seak.xyz unknown unknown
www.besthandstool.icu unknown unknown
www.concur.design unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.concur.design/uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI true
  • Avira URL Cloud: safe
 unknown
http://www.cptdesignstudio.com/uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI true
  • Avira URL Cloud: safe
 unknown
http://www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI true
  • Avira URL Cloud: safe
 unknown
http://www.demenageseul.com/uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI true
  • Avira URL Cloud: safe
 unknown