Analysis Report in.exe

AV Detection:

Found malware configuration

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.holodov.net/sjgd/"], "decoy": ["hjtzzg.com", "arabiaprogram.com", "hana-pet.com", "jointreleif911.com", "superuglycakes.com", "f5gcpxgfs3rkf.net", "bentengproperti.com", "josiewalter.com", "nallove.com", "contorig2.com", "kruberm.com", "wcieckashmir.com", "syggao.com", "rollinproduction.com", "furiael.online", "harasalcancu.com", "cesarscott.com", "high5promotions.com", "bemagicnottragic.com", "orangeapron.net", "thegiftofyourstory.com", "mynewbuildhome.com", "practicalfitnessidea.com", "arkanlune.com", "upmcmhealthplan.com", "skyabovelog.com", "yawicanada.com", "hxmeirong.com", "vacation-all-inclusive.com", "candoubaoku.com", "xiangche360.com", "rce.cool", "nqwydhxgrw.com", "assistance-technique.info", "444999dy.com", "faktacount.com", "foggylife.com", "underneathberlin.com", "wy1687.com", "liveblanch.life", "childvictimsactinfo.com", "portalmedan.com", "tomwanamaker.net", "homeoffice-musthaves.com", "mano.one", "minahapshy.com", "vedgc.com", "thegoodcaptain.net", "uniccodocs.com", "centerdecorstore.com", "mein-business.online", "9f1.net", "pathwaytopurposetherapy.com", "nyhtgj88.com", "troels1.com", "fashionblessings.com", "donatebtc.info", "sparta-mc.online", "520age.com", "agaragar.info", "leeindustrles.com", "couttsagency.com", "telemedspain.com", "industry-automation.com"]}

Multi AV Scanner detection for submitted file

Source: in.exe	Virustotal: Detection: 30%			Perma Link
Source: in.exe	Metadefender: Detection: 35%			Perma Link
Source: in.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: in.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.in.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: in.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: in.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: in.exe, 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\in.exe	Code function: 4x nop then pop ebx		2_2_00406A9D
Source: C:\Users\user\Desktop\in.exe	Code function: 4x nop then pop edi		2_2_0040C3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi		8_2_0102C3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop ebx		8_2_01026A9D

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 78.142.63.38:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.holodov.net/sjgd/

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.couttsagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.industry-automation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=1PFHXCgs6H1RDCiwx9JNnUIhtMFE4B7sgwhyYm7kgJX0BWSMA5HZMbs3oaApumpuT18L&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.fashionblessings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 52.128.23.153 52.128.23.153

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: DOSARRESTUS DOSARRESTUS

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=e2SwNy5jTXYhIJXNsx2jjLy0bcCG+bMU9WGMv0QquE/Juv17dG/pwBG3zi56WICLhfuF&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.couttsagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=4C9RsP0MiMfd5x3EqIWPb8N3LXE5yuIemyiinJZA7tg31FsRjvPmvbnKjZ2+rb6qC4SN&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.industry-automation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sjgd/?F6AD0t=1PFHXCgs6H1RDCiwx9JNnUIhtMFE4B7sgwhyYm7kgJX0BWSMA5HZMbs3oaApumpuT18L&w67=DhrxPvQ0jlAtfdH0 HTTP/1.1Host: www.fashionblessings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.couttsagency.com

URLs found in memory or binary data

Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: in.exe, 00000000.00000002.241089375.00000000024E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.270914396.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004181B0 NtCreateFile,		2_2_004181B0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00418260 NtReadFile,		2_2_00418260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004182E0 NtClose,		2_2_004182E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00418390 NtAllocateVirtualMemory,		2_2_00418390
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004181AC NtCreateFile,		2_2_004181AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004182DA NtClose,		2_2_004182DA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041838A NtAllocateVirtualMemory,		2_2_0041838A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,		2_2_01289910
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012899A0 NtCreateSection,LdrInitializeThunk,		2_2_012899A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,		2_2_01289860
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289840 NtDelayExecution,LdrInitializeThunk,		2_2_01289840
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,		2_2_012898F0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A20 NtResumeThread,LdrInitializeThunk,		2_2_01289A20
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,		2_2_01289A00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A50 NtCreateFile,LdrInitializeThunk,		2_2_01289A50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289540 NtReadFile,LdrInitializeThunk,		2_2_01289540
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012895D0 NtClose,LdrInitializeThunk,		2_2_012895D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289710 NtQueryInformationToken,LdrInitializeThunk,		2_2_01289710
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,		2_2_012897A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289780 NtMapViewOfSection,LdrInitializeThunk,		2_2_01289780
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289FE0 NtCreateMutant,LdrInitializeThunk,		2_2_01289FE0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,		2_2_01289660
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,		2_2_012896E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289950 NtQueueApcThread,		2_2_01289950
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012899D0 NtCreateProcessEx,		2_2_012899D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289820 NtEnumerateKey,		2_2_01289820
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128B040 NtSuspendThread,		2_2_0128B040
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012898A0 NtWriteVirtualMemory,		2_2_012898A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289B00 NtSetValueKey,		2_2_01289B00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A3B0 NtGetContextThread,		2_2_0128A3B0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A10 NtQuerySection,		2_2_01289A10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289A80 NtOpenDirectoryObject,		2_2_01289A80
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289520 NtWaitForSingleObject,		2_2_01289520
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128AD30 NtSetContextThread,		2_2_0128AD30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289560 NtWriteFile,		2_2_01289560
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012895F0 NtQueryInformationFile,		2_2_012895F0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289730 NtQueryVirtualMemory,		2_2_01289730
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A710 NtOpenProcessToken,		2_2_0128A710
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289760 NtOpenProcess,		2_2_01289760
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128A770 NtOpenThread,		2_2_0128A770
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289770 NtSetInformationFile,		2_2_01289770
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289610 NtEnumerateValueKey,		2_2_01289610
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289670 NtQueryInformationProcess,		2_2_01289670
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01289650 NtQueryValueKey,		2_2_01289650
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012896D0 NtCreateKey,		2_2_012896D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9780 NtMapViewOfSection,LdrInitializeThunk,		8_2_038D9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9FE0 NtCreateMutant,LdrInitializeThunk,		8_2_038D9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9710 NtQueryInformationToken,LdrInitializeThunk,		8_2_038D9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D96D0 NtCreateKey,LdrInitializeThunk,		8_2_038D96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D96E0 NtFreeVirtualMemory,LdrInitializeThunk,		8_2_038D96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A50 NtCreateFile,LdrInitializeThunk,		8_2_038D9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9650 NtQueryValueKey,LdrInitializeThunk,		8_2_038D9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9660 NtAllocateVirtualMemory,LdrInitializeThunk,		8_2_038D9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D99A0 NtCreateSection,LdrInitializeThunk,		8_2_038D99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D95D0 NtClose,LdrInitializeThunk,		8_2_038D95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		8_2_038D9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9540 NtReadFile,LdrInitializeThunk,		8_2_038D9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9840 NtDelayExecution,LdrInitializeThunk,		8_2_038D9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9860 NtQuerySystemInformation,LdrInitializeThunk,		8_2_038D9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D97A0 NtUnmapViewOfSection,		8_2_038D97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA3B0 NtGetContextThread,		8_2_038DA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9B00 NtSetValueKey,		8_2_038D9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA710 NtOpenProcessToken,		8_2_038DA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9730 NtQueryVirtualMemory,		8_2_038D9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9760 NtOpenProcess,		8_2_038D9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9770 NtSetInformationFile,		8_2_038D9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DA770 NtOpenThread,		8_2_038DA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A80 NtOpenDirectoryObject,		8_2_038D9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A00 NtProtectVirtualMemory,		8_2_038D9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9610 NtEnumerateValueKey,		8_2_038D9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A10 NtQuerySection,		8_2_038D9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9A20 NtResumeThread,		8_2_038D9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9670 NtQueryInformationProcess,		8_2_038D9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D99D0 NtCreateProcessEx,		8_2_038D99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D95F0 NtQueryInformationFile,		8_2_038D95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9520 NtWaitForSingleObject,		8_2_038D9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DAD30 NtSetContextThread,		8_2_038DAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9950 NtQueueApcThread,		8_2_038D9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9560 NtWriteFile,		8_2_038D9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D98A0 NtWriteVirtualMemory,		8_2_038D98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D98F0 NtReadVirtualMemory,		8_2_038D98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D9820 NtEnumerateKey,		8_2_038D9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038DB040 NtSuspendThread,		8_2_038DB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010381B0 NtCreateFile,		8_2_010381B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01038390 NtAllocateVirtualMemory,		8_2_01038390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01038260 NtReadFile,		8_2_01038260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010382E0 NtClose,		8_2_010382E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010381AC NtCreateFile,		8_2_010381AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103838A NtAllocateVirtualMemory,		8_2_0103838A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010382DA NtClose,		8_2_010382DA

Detected potential crypto function

Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_0233C2B0		0_2_0233C2B0
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_02339968		0_2_02339968
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00401030		2_2_00401030
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00401177		2_2_00401177
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00408C4B		2_2_00408C4B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00408C50		2_2_00408C50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B496		2_2_0041B496
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041C504		2_2_0041C504
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B5E0		2_2_0041B5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402D87		2_2_00402D87
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402D90		2_2_00402D90
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041BE43		2_2_0041BE43
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B67E		2_2_0041B67E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041BFF0		2_2_0041BFF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B785		2_2_0041B785
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00402FB0		2_2_00402FB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124F900		2_2_0124F900
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131E824		2_2_0131E824
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301002		2_2_01301002
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013120A8		2_2_013120A8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B090		2_2_0125B090
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013128EC		2_2_013128EC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312B28		2_2_01312B28
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127EBB0		2_2_0127EBB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130DBD2		2_2_0130DBD2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013003DA		2_2_013003DA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013122AE		2_2_013122AE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01240D20		2_2_01240D20
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312D07		2_2_01312D07
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311D55		2_2_01311D55
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581		2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0		2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013125DD		2_2_013125DD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125841F		2_2_0125841F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130D466		2_2_0130D466
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311FF1		2_2_01311FF1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131DFCE		2_2_0131DFCE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01266E30		2_2_01266E30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130D616		2_2_0130D616
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01312EF7		2_2_01312EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CEBB0		8_2_038CEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B6E30		8_2_038B6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389F900		8_2_0389F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03890D20		8_2_03890D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03961D55		8_2_03961D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB090		8_2_038AB090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951002		8_2_03951002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103C504		8_2_0103C504
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022D87		8_2_01022D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022D90		8_2_01022D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B5E0		8_2_0103B5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01028C4B		8_2_01028C4B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01028C50		8_2_01028C50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B496		8_2_0103B496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B785		8_2_0103B785
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01022FB0		8_2_01022FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103BE43		8_2_0103BE43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B67E		8_2_0103B67E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\in.exe

Code function: String function: 0124B150 appears 45 times

Sample file is different than original file name gathered from version info

Source: in.exe	Binary or memory string: OriginalFilename vs in.exe
Source: in.exe, 00000000.00000002.241089375.00000000024E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs in.exe
Source: in.exe, 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs in.exe
Source: in.exe, 00000000.00000000.232546198.0000000000042000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe
Source: in.exe	Binary or memory string: OriginalFilename vs in.exe
Source: in.exe, 00000002.00000002.285570782.00000000006A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe
Source: in.exe, 00000002.00000002.286080547.000000000133F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs in.exe
Source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs in.exe
Source: in.exe	Binary or memory string: OriginalFilenameClientWellKnownEntry.exe0 vs in.exe

Uses 32bit PE files

Source: in.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: in.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@10/4

Creates files inside the user directory

Source: C:\Users\user\Desktop\in.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\in.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01

PE file has an executable .text section and no other executable section

Source: in.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\in.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\in.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: in.exe	Virustotal: Detection: 30%
Source: in.exe	Metadefender: Detection: 35%
Source: in.exe	ReversingLabs: Detection: 75%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\in.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: in.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: in.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: in.exe, 00000002.00000002.285944809.0000000001160000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: in.exe, 00000002.00000002.285953904.0000000001220000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.501673885.000000000398F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041183E push esi; retf		2_2_0041183F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_004150B7 push ebp; ret		2_2_004150C4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041C8BB push es; ret		2_2_0041C930
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041533B push esi; retf		2_2_00415342
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3F2 push eax; ret		2_2_0041B3F8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3FB push eax; ret		2_2_0041B462
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B3A5 push eax; ret		2_2_0041B3F8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0041B45C push eax; ret		2_2_0041B462
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0040B53D pushad ; retf		2_2_0040B53F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00414E7E push esp; iretd		2_2_00414E2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_00414E0A push esp; iretd		2_2_00414E2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0129D0D1 push ecx; ret		2_2_0129D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038ED0D1 push ecx; ret		8_2_038ED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103183E push esi; retf		8_2_0103183F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_010350B7 push ebp; ret		8_2_010350C4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103C8BB push es; ret		8_2_0103C930
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103533B push esi; retf		8_2_01035342
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3A5 push eax; ret		8_2_0103B3F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3F2 push eax; ret		8_2_0103B3F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B3FB push eax; ret		8_2_0103B462
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0102B53D pushad ; retf		8_2_0102B53F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0103B45C push eax; ret		8_2_0103B462
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01034E0A push esp; iretd		8_2_01034E2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_01034E7E push esp; iretd		8_2_01034E2E

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.68910806579

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: in.exe PID: 6236, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\in.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\in.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000010285E4 second address: 00000000010285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 000000000102896E second address: 0000000001028974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\in.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\in.exe TID: 6240	Thread sleep time: -99976s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\in.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 4988	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6456	Thread sleep time: -44000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\in.exe	Thread delayed: delay time: 99976			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000003.00000000.270058258.0000000008A9D000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.506479364.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.249062679.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000002.500083819.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.269655203.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000002.514141205.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.269655203.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: in.exe, 00000000.00000002.241150874.0000000002536000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000003.00000000.267074134.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\in.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\in.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\in.exe

Code function: 2_2_00409B10 LdrLoadDll,

2_2_00409B10

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov eax, dword ptr fs:[00000030h]		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01264120 mov ecx, dword ptr fs:[00000030h]		2_2_01264120
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127513A mov eax, dword ptr fs:[00000030h]		2_2_0127513A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127513A mov eax, dword ptr fs:[00000030h]		2_2_0127513A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]		2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]		2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249100 mov eax, dword ptr fs:[00000030h]		2_2_01249100
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C962 mov eax, dword ptr fs:[00000030h]		2_2_0124C962
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B171 mov eax, dword ptr fs:[00000030h]		2_2_0124B171
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B171 mov eax, dword ptr fs:[00000030h]		2_2_0124B171
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126B944 mov eax, dword ptr fs:[00000030h]		2_2_0126B944
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126B944 mov eax, dword ptr fs:[00000030h]		2_2_0126B944
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012761A0 mov eax, dword ptr fs:[00000030h]		2_2_012761A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012761A0 mov eax, dword ptr fs:[00000030h]		2_2_012761A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C69A6 mov eax, dword ptr fs:[00000030h]		2_2_012C69A6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]		2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]		2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]		2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C51BE mov eax, dword ptr fs:[00000030h]		2_2_012C51BE
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]		2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]		2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]		2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013049A4 mov eax, dword ptr fs:[00000030h]		2_2_013049A4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A185 mov eax, dword ptr fs:[00000030h]		2_2_0127A185
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C182 mov eax, dword ptr fs:[00000030h]		2_2_0126C182
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272990 mov eax, dword ptr fs:[00000030h]		2_2_01272990
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012D41E8 mov eax, dword ptr fs:[00000030h]		2_2_012D41E8
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]		2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]		2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124B1E1 mov eax, dword ptr fs:[00000030h]		2_2_0124B1E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]		2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]		2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]		2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]		2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127002D mov eax, dword ptr fs:[00000030h]		2_2_0127002D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]		2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]		2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]		2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125B02A mov eax, dword ptr fs:[00000030h]		2_2_0125B02A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01314015 mov eax, dword ptr fs:[00000030h]		2_2_01314015
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01314015 mov eax, dword ptr fs:[00000030h]		2_2_01314015
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]		2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]		2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7016 mov eax, dword ptr fs:[00000030h]		2_2_012C7016
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01302073 mov eax, dword ptr fs:[00000030h]		2_2_01302073
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01311074 mov eax, dword ptr fs:[00000030h]		2_2_01311074
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01260050 mov eax, dword ptr fs:[00000030h]		2_2_01260050
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01260050 mov eax, dword ptr fs:[00000030h]		2_2_01260050
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012890AF mov eax, dword ptr fs:[00000030h]		2_2_012890AF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012720A0 mov eax, dword ptr fs:[00000030h]		2_2_012720A0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov ecx, dword ptr fs:[00000030h]		2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov eax, dword ptr fs:[00000030h]		2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127F0BF mov eax, dword ptr fs:[00000030h]		2_2_0127F0BF
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249080 mov eax, dword ptr fs:[00000030h]		2_2_01249080
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3884 mov eax, dword ptr fs:[00000030h]		2_2_012C3884
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3884 mov eax, dword ptr fs:[00000030h]		2_2_012C3884
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]		2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]		2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012440E1 mov eax, dword ptr fs:[00000030h]		2_2_012440E1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012458EC mov eax, dword ptr fs:[00000030h]		2_2_012458EC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov ecx, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DB8D0 mov eax, dword ptr fs:[00000030h]		2_2_012DB8D0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130131B mov eax, dword ptr fs:[00000030h]		2_2_0130131B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124DB60 mov ecx, dword ptr fs:[00000030h]		2_2_0124DB60
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01273B7A mov eax, dword ptr fs:[00000030h]		2_2_01273B7A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01273B7A mov eax, dword ptr fs:[00000030h]		2_2_01273B7A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124DB40 mov eax, dword ptr fs:[00000030h]		2_2_0124DB40
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318B58 mov eax, dword ptr fs:[00000030h]		2_2_01318B58
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124F358 mov eax, dword ptr fs:[00000030h]		2_2_0124F358
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]		2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]		2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274BAD mov eax, dword ptr fs:[00000030h]		2_2_01274BAD
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01315BA5 mov eax, dword ptr fs:[00000030h]		2_2_01315BA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01251B8F mov eax, dword ptr fs:[00000030h]		2_2_01251B8F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01251B8F mov eax, dword ptr fs:[00000030h]		2_2_01251B8F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FD380 mov ecx, dword ptr fs:[00000030h]		2_2_012FD380
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272397 mov eax, dword ptr fs:[00000030h]		2_2_01272397
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127B390 mov eax, dword ptr fs:[00000030h]		2_2_0127B390
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130138A mov eax, dword ptr fs:[00000030h]		2_2_0130138A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012703E2 mov eax, dword ptr fs:[00000030h]		2_2_012703E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126DBE9 mov eax, dword ptr fs:[00000030h]		2_2_0126DBE9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C53CA mov eax, dword ptr fs:[00000030h]		2_2_012C53CA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C53CA mov eax, dword ptr fs:[00000030h]		2_2_012C53CA
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01284A2C mov eax, dword ptr fs:[00000030h]		2_2_01284A2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01284A2C mov eax, dword ptr fs:[00000030h]		2_2_01284A2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AA16 mov eax, dword ptr fs:[00000030h]		2_2_0130AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AA16 mov eax, dword ptr fs:[00000030h]		2_2_0130AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01258A0A mov eax, dword ptr fs:[00000030h]		2_2_01258A0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AA16 mov eax, dword ptr fs:[00000030h]		2_2_0124AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AA16 mov eax, dword ptr fs:[00000030h]		2_2_0124AA16
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]		2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov ecx, dword ptr fs:[00000030h]		2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]		2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01245210 mov eax, dword ptr fs:[00000030h]		2_2_01245210
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01263A1C mov eax, dword ptr fs:[00000030h]		2_2_01263A1C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FB260 mov eax, dword ptr fs:[00000030h]		2_2_012FB260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FB260 mov eax, dword ptr fs:[00000030h]		2_2_012FB260
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0128927A mov eax, dword ptr fs:[00000030h]		2_2_0128927A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318A62 mov eax, dword ptr fs:[00000030h]		2_2_01318A62
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]		2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]		2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]		2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01249240 mov eax, dword ptr fs:[00000030h]		2_2_01249240
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130EA55 mov eax, dword ptr fs:[00000030h]		2_2_0130EA55
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012D4257 mov eax, dword ptr fs:[00000030h]		2_2_012D4257
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]		2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]		2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]		2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]		2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012452A5 mov eax, dword ptr fs:[00000030h]		2_2_012452A5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125AAB0 mov eax, dword ptr fs:[00000030h]		2_2_0125AAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125AAB0 mov eax, dword ptr fs:[00000030h]		2_2_0125AAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FAB0 mov eax, dword ptr fs:[00000030h]		2_2_0127FAB0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127D294 mov eax, dword ptr fs:[00000030h]		2_2_0127D294
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127D294 mov eax, dword ptr fs:[00000030h]		2_2_0127D294
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272AE4 mov eax, dword ptr fs:[00000030h]		2_2_01272AE4
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272ACB mov eax, dword ptr fs:[00000030h]		2_2_01272ACB
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318D34 mov eax, dword ptr fs:[00000030h]		2_2_01318D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130E539 mov eax, dword ptr fs:[00000030h]		2_2_0130E539
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01253D34 mov eax, dword ptr fs:[00000030h]		2_2_01253D34
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124AD30 mov eax, dword ptr fs:[00000030h]		2_2_0124AD30
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012CA537 mov eax, dword ptr fs:[00000030h]		2_2_012CA537
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]		2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]		2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01274D3B mov eax, dword ptr fs:[00000030h]		2_2_01274D3B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C577 mov eax, dword ptr fs:[00000030h]		2_2_0126C577
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126C577 mov eax, dword ptr fs:[00000030h]		2_2_0126C577
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01283D43 mov eax, dword ptr fs:[00000030h]		2_2_01283D43
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C3540 mov eax, dword ptr fs:[00000030h]		2_2_012C3540
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01267D50 mov eax, dword ptr fs:[00000030h]		2_2_01267D50
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012735A1 mov eax, dword ptr fs:[00000030h]		2_2_012735A1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]		2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]		2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01271DB5 mov eax, dword ptr fs:[00000030h]		2_2_01271DB5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013105AC mov eax, dword ptr fs:[00000030h]		2_2_013105AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013105AC mov eax, dword ptr fs:[00000030h]		2_2_013105AC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]		2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]		2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]		2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01272581 mov eax, dword ptr fs:[00000030h]		2_2_01272581
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]		2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]		2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]		2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]		2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01242D8A mov eax, dword ptr fs:[00000030h]		2_2_01242D8A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FD9B mov eax, dword ptr fs:[00000030h]		2_2_0127FD9B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127FD9B mov eax, dword ptr fs:[00000030h]		2_2_0127FD9B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0 mov eax, dword ptr fs:[00000030h]		2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125D5E0 mov eax, dword ptr fs:[00000030h]		2_2_0125D5E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0130FDE2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012F8DF1 mov eax, dword ptr fs:[00000030h]		2_2_012F8DF1
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov ecx, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6DC9 mov eax, dword ptr fs:[00000030h]		2_2_012C6DC9
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127BC2C mov eax, dword ptr fs:[00000030h]		2_2_0127BC2C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]		2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]		2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]		2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6C0A mov eax, dword ptr fs:[00000030h]		2_2_012C6C0A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301C06 mov eax, dword ptr fs:[00000030h]		2_2_01301C06
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]		2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]		2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131740D mov eax, dword ptr fs:[00000030h]		2_2_0131740D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126746D mov eax, dword ptr fs:[00000030h]		2_2_0126746D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A44B mov eax, dword ptr fs:[00000030h]		2_2_0127A44B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DC450 mov eax, dword ptr fs:[00000030h]		2_2_012DC450
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DC450 mov eax, dword ptr fs:[00000030h]		2_2_012DC450
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125849B mov eax, dword ptr fs:[00000030h]		2_2_0125849B
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_013014FB mov eax, dword ptr fs:[00000030h]		2_2_013014FB
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]		2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]		2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C6CF0 mov eax, dword ptr fs:[00000030h]		2_2_012C6CF0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318CD6 mov eax, dword ptr fs:[00000030h]		2_2_01318CD6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01244F2E mov eax, dword ptr fs:[00000030h]		2_2_01244F2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01244F2E mov eax, dword ptr fs:[00000030h]		2_2_01244F2E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127E730 mov eax, dword ptr fs:[00000030h]		2_2_0127E730
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A70E mov eax, dword ptr fs:[00000030h]		2_2_0127A70E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A70E mov eax, dword ptr fs:[00000030h]		2_2_0127A70E
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126F716 mov eax, dword ptr fs:[00000030h]		2_2_0126F716
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131070D mov eax, dword ptr fs:[00000030h]		2_2_0131070D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0131070D mov eax, dword ptr fs:[00000030h]		2_2_0131070D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFF10 mov eax, dword ptr fs:[00000030h]		2_2_012DFF10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFF10 mov eax, dword ptr fs:[00000030h]		2_2_012DFF10
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125FF60 mov eax, dword ptr fs:[00000030h]		2_2_0125FF60
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318F6A mov eax, dword ptr fs:[00000030h]		2_2_01318F6A
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125EF40 mov eax, dword ptr fs:[00000030h]		2_2_0125EF40
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01258794 mov eax, dword ptr fs:[00000030h]		2_2_01258794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]		2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]		2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C7794 mov eax, dword ptr fs:[00000030h]		2_2_012C7794
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012837F5 mov eax, dword ptr fs:[00000030h]		2_2_012837F5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124E620 mov eax, dword ptr fs:[00000030h]		2_2_0124E620
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FFE3F mov eax, dword ptr fs:[00000030h]		2_2_012FFE3F
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]		2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]		2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0124C600 mov eax, dword ptr fs:[00000030h]		2_2_0124C600
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01278E00 mov eax, dword ptr fs:[00000030h]		2_2_01278E00
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01301608 mov eax, dword ptr fs:[00000030h]		2_2_01301608
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A61C mov eax, dword ptr fs:[00000030h]		2_2_0127A61C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0127A61C mov eax, dword ptr fs:[00000030h]		2_2_0127A61C
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0125766D mov eax, dword ptr fs:[00000030h]		2_2_0125766D
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]		2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]		2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]		2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]		2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0126AE73 mov eax, dword ptr fs:[00000030h]		2_2_0126AE73
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01257E41 mov eax, dword ptr fs:[00000030h]		2_2_01257E41
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AE44 mov eax, dword ptr fs:[00000030h]		2_2_0130AE44
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_0130AE44 mov eax, dword ptr fs:[00000030h]		2_2_0130AE44
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012C46A7 mov eax, dword ptr fs:[00000030h]		2_2_012C46A7
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]		2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]		2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01310EA5 mov eax, dword ptr fs:[00000030h]		2_2_01310EA5
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012DFE87 mov eax, dword ptr fs:[00000030h]		2_2_012DFE87
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012716E0 mov ecx, dword ptr fs:[00000030h]		2_2_012716E0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012576E2 mov eax, dword ptr fs:[00000030h]		2_2_012576E2
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01318ED6 mov eax, dword ptr fs:[00000030h]		2_2_01318ED6
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012736CC mov eax, dword ptr fs:[00000030h]		2_2_012736CC
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_012FFEC0 mov eax, dword ptr fs:[00000030h]		2_2_012FFEC0
Source: C:\Users\user\Desktop\in.exe	Code function: 2_2_01288EC7 mov eax, dword ptr fs:[00000030h]		2_2_01288EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0395138A mov eax, dword ptr fs:[00000030h]		8_2_0395138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03965BA5 mov eax, dword ptr fs:[00000030h]		8_2_03965BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FF10 mov eax, dword ptr fs:[00000030h]		8_2_0392FF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FF10 mov eax, dword ptr fs:[00000030h]		8_2_0392FF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0395131B mov eax, dword ptr fs:[00000030h]		8_2_0395131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396070D mov eax, dword ptr fs:[00000030h]		8_2_0396070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396070D mov eax, dword ptr fs:[00000030h]		8_2_0396070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03894F2E mov eax, dword ptr fs:[00000030h]		8_2_03894F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03894F2E mov eax, dword ptr fs:[00000030h]		8_2_03894F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CE730 mov eax, dword ptr fs:[00000030h]		8_2_038CE730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389DB40 mov eax, dword ptr fs:[00000030h]		8_2_0389DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AEF40 mov eax, dword ptr fs:[00000030h]		8_2_038AEF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968B58 mov eax, dword ptr fs:[00000030h]		8_2_03968B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389F358 mov eax, dword ptr fs:[00000030h]		8_2_0389F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968F6A mov eax, dword ptr fs:[00000030h]		8_2_03968F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392FE87 mov eax, dword ptr fs:[00000030h]		8_2_0392FE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CD294 mov eax, dword ptr fs:[00000030h]		8_2_038CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CD294 mov eax, dword ptr fs:[00000030h]		8_2_038CD294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]		8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]		8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]		8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]		8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038952A5 mov eax, dword ptr fs:[00000030h]		8_2_038952A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]		8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]		8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03960EA5 mov eax, dword ptr fs:[00000030h]		8_2_03960EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_039146A7 mov eax, dword ptr fs:[00000030h]		8_2_039146A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968ED6 mov eax, dword ptr fs:[00000030h]		8_2_03968ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C36CC mov eax, dword ptr fs:[00000030h]		8_2_038C36CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394FEC0 mov eax, dword ptr fs:[00000030h]		8_2_0394FEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C16E0 mov ecx, dword ptr fs:[00000030h]		8_2_038C16E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]		8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]		8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389C600 mov eax, dword ptr fs:[00000030h]		8_2_0389C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394FE3F mov eax, dword ptr fs:[00000030h]		8_2_0394FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]		8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]		8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]		8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899240 mov eax, dword ptr fs:[00000030h]		8_2_03899240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038A766D mov eax, dword ptr fs:[00000030h]		8_2_038A766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394B260 mov eax, dword ptr fs:[00000030h]		8_2_0394B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0394B260 mov eax, dword ptr fs:[00000030h]		8_2_0394B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D927A mov eax, dword ptr fs:[00000030h]		8_2_038D927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]		8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]		8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]		8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]		8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03892D8A mov eax, dword ptr fs:[00000030h]		8_2_03892D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CA185 mov eax, dword ptr fs:[00000030h]		8_2_038CA185
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC182 mov eax, dword ptr fs:[00000030h]		8_2_038BC182
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C35A1 mov eax, dword ptr fs:[00000030h]		8_2_038C35A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03948DF1 mov eax, dword ptr fs:[00000030h]		8_2_03948DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]		8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]		8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B1E1 mov eax, dword ptr fs:[00000030h]		8_2_0389B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]		8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]		8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899100 mov eax, dword ptr fs:[00000030h]		8_2_03899100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968D34 mov eax, dword ptr fs:[00000030h]		8_2_03968D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov eax, dword ptr fs:[00000030h]		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B4120 mov ecx, dword ptr fs:[00000030h]		8_2_038B4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C513A mov eax, dword ptr fs:[00000030h]		8_2_038C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C513A mov eax, dword ptr fs:[00000030h]		8_2_038C513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]		8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]		8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038C4D3B mov eax, dword ptr fs:[00000030h]		8_2_038C4D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389AD30 mov eax, dword ptr fs:[00000030h]		8_2_0389AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D3D43 mov eax, dword ptr fs:[00000030h]		8_2_038D3D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BB944 mov eax, dword ptr fs:[00000030h]		8_2_038BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BB944 mov eax, dword ptr fs:[00000030h]		8_2_038BB944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913540 mov eax, dword ptr fs:[00000030h]		8_2_03913540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B7D50 mov eax, dword ptr fs:[00000030h]		8_2_038B7D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B171 mov eax, dword ptr fs:[00000030h]		8_2_0389B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0389B171 mov eax, dword ptr fs:[00000030h]		8_2_0389B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC577 mov eax, dword ptr fs:[00000030h]		8_2_038BC577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038BC577 mov eax, dword ptr fs:[00000030h]		8_2_038BC577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03899080 mov eax, dword ptr fs:[00000030h]		8_2_03899080
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913884 mov eax, dword ptr fs:[00000030h]		8_2_03913884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03913884 mov eax, dword ptr fs:[00000030h]		8_2_03913884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038D90AF mov eax, dword ptr fs:[00000030h]		8_2_038D90AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov ecx, dword ptr fs:[00000030h]		8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov eax, dword ptr fs:[00000030h]		8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CF0BF mov eax, dword ptr fs:[00000030h]		8_2_038CF0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03968CD6 mov eax, dword ptr fs:[00000030h]		8_2_03968CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov ecx, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392B8D0 mov eax, dword ptr fs:[00000030h]		8_2_0392B8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_039514FB mov eax, dword ptr fs:[00000030h]		8_2_039514FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03964015 mov eax, dword ptr fs:[00000030h]		8_2_03964015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03964015 mov eax, dword ptr fs:[00000030h]		8_2_03964015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]		8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]		8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03917016 mov eax, dword ptr fs:[00000030h]		8_2_03917016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03951C06 mov eax, dword ptr fs:[00000030h]		8_2_03951C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]		8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]		8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0396740D mov eax, dword ptr fs:[00000030h]		8_2_0396740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]		8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]		8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]		8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038AB02A mov eax, dword ptr fs:[00000030h]		8_2_038AB02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038CBC2C mov eax, dword ptr fs:[00000030h]		8_2_038CBC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392C450 mov eax, dword ptr fs:[00000030h]		8_2_0392C450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0392C450 mov eax, dword ptr fs:[00000030h]		8_2_0392C450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03961074 mov eax, dword ptr fs:[00000030h]		8_2_03961074
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03952073 mov eax, dword ptr fs:[00000030h]		8_2_03952073
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_038B746D mov eax, dword ptr fs:[00000030h]		8_2_038B746D

Enables debug privileges

Source: C:\Users\user\Desktop\in.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\in.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 162.241.244.112 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.holodov.net
Source: C:\Windows\explorer.exe	Network Connect: 52.128.23.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.leeindustrles.com
Source: C:\Windows\explorer.exe	Domain query: www.couttsagency.com
Source: C:\Windows\explorer.exe	Domain query: www.industry-automation.com
Source: C:\Windows\explorer.exe	Domain query: www.fashionblessings.com
Source: C:\Windows\explorer.exe	Domain query: www.hjtzzg.com
Source: C:\Windows\explorer.exe	Network Connect: 156.245.135.187 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.vedgc.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\in.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\in.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\in.exe	Process created: C:\Users\user\Desktop\in.exe C:\Users\user\Desktop\in.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000003.00000000.258095067.0000000005EA0000.00000004.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000002.499751254.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.500633906.0000000001640000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.504508932.0000000005E90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Users\user\Desktop\in.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\in.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.500616903.00000000034C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285496471.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285906705.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.498508989.0000000001020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241660849.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285926507.0000000001130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.500429696.0000000003490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE