Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6KdTCZit4e.exe

Overview

General Information

Sample Name:6KdTCZit4e.exe
Analysis ID:452425
MD5:ed43ff447cd5486610731a627a930607
SHA1:91449c85fb2fa5d27f8db3c8c08cdfb9d3287162
SHA256:91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6KdTCZit4e.exe (PID: 6568 cmdline: 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: ED43FF447CD5486610731A627A930607)
    • 6KdTCZit4e.exe (PID: 6128 cmdline: C:\Users\user\Desktop\6KdTCZit4e.exe MD5: ED43FF447CD5486610731A627A930607)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6708 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.6KdTCZit4e.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.6KdTCZit4e.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.6KdTCZit4e.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%Perma Link
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hometowncashbuyersgroup.com/kkt/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thedreamcertificate.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 08:35:02 GMTServer: ApacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 202Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 6b 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /kkt/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000008.00000000.767736283.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/friends.json?gamertag=
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/profile.json?gamertag=
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E0A NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E90 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E000
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041D1AB
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E258
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00401208
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DD7D
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D87
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E40
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E3B
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DF3E
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D46E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D20D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D44120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE258
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AD1AB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D2B150 appears 32 times
          Source: 6KdTCZit4e.exe, 00000000.00000000.656062623.000000000080A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.793159947.00000000008CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.796525668.00000000014FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6KdTCZit4e.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
          Source: 6KdTCZit4e.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Source: unknownProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 6KdTCZit4e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 6KdTCZit4e.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 6KdTCZit4e.exeStatic file information: File size 1148416 > 1048576
          Source: 6KdTCZit4e.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x116a00
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041721D push es; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175DF push ds; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175A0 push ds; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041B68C pushad ; iretd
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF0B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A721D push es; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AB68C pushad ; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACEB5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF0B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF02 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF6C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75A0 push ds; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75DF push ds; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.05866733506

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 6KdTCZit4e.exeBinary or memory string: WIRESHARK|WIRESHARK.EXE
          Source: 6KdTCZit4e.exeBinary or memory string: SKYPE|SKYPE.EXE'FIREFOX|FIREFOX.EXE+BOOTCAMP|BOOTCAMP.EXE/WIRESHARK|WIRESHARK.EXEAPROCESS HACKER|PROCESSHACKER.EXELOAD
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000028998E4 second address: 00000000028998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002899B5E second address: 0000000002899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6572Thread sleep time: -54990s >= -30000s
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6620Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6176Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6680Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 54990
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477
          Source: 6KdTCZit4e.exeBinary or memory string: vmCIYd
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000008.00000000.742728647.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 6KdTCZit4e.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.748506664.000000000A77F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXE