Windows Analysis Report TT COPY_02101011.exe

Overview

General Information

Sample Name: TT COPY_02101011.exe
Analysis ID: 528714
MD5: ebabc0d66a9e01cc0926f3b311feff5f
SHA1: 83a44664135a7255045becde754dae29be496c8f
SHA256: ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.helpfromjames.com/e8ia/"], "decoy": ["le-hameau-enchanteur.com", "quantumsystem-au.club", "engravedeeply.com", "yesrecompensas.lat", "cavallitowerofficials.com", "800seaspray.com", "skifun-jetski.com", "thouartafoot.com", "nft2dollar.com", "petrestore.online", "cjcutthecord2.com", "tippimccullough.com", "gadget198.xyz", "djmiriam.com", "bitbasepay.com", "cukierniawz.com", "mcclureic.xyz", "inthekitchenshakinandbakin.com", "busy-clicks.com", "melaniemorris.online", "elysiangp.com", "7bkj.com", "wakeanddraw.com", "ascalar.com", "iteraxon.com", "henleygirlscricket.com", "torresflooringdecorllc.com", "helgquieta.quest", "xesteem.com", "graffity-aws.com", "bolerparts.com", "andriylysenko.com", "bestinvest-4-you.com", "frelsicycling.com", "airductcleaningindianapolis.net", "nlproperties.net", "alkoora.xyz", "sakiyaman.com", "wwwsmyrnaschooldistrict.com", "unitedsafetyassociation.com", "fiveallianceapparel.com", "edgelordkids.com", "herhauling.com", "intelldat.com", "weprepareamerica-planet.com", "webartsolution.net", "yiquge.com", "marraasociados.com", "dentalimplantnearyou-ca.space", "linemanbible.com", "dunamisdispatchservicellc.com", "latamoperationalinstitute.com", "stpaulsschoolbagidora.com", "groupninemed.com", "solar-tribe.com", "footairdz.com", "blttsperma.quest", "xfeuio.xyz", "sahodyafbdchapter.com", "0934800.com", "dandftrading.com", "gladway.net", "mineriasinmercurio.com", "inaampm.com"]}
Multi AV Scanner detection for submitted file
Source: TT COPY_02101011.exe Virustotal: Detection: 36% Perma Link
Source: TT COPY_02101011.exe ReversingLabs: Detection: 15%
Yara detected FormBook
Source: Yara match File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll ReversingLabs: Detection: 15%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.TT COPY_02101011.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.NETSTAT.EXE.372796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.NETSTAT.EXE.d6e840.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: TT COPY_02101011.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405250
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405C22 FindFirstFileA,FindClose, 0_2_00405C22
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 37.123.118.150 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.186.33.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.webartsolution.net
Source: C:\Windows\explorer.exe Network Connect: 185.65.236.168 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mcclureic.xyz
Source: C:\Windows\explorer.exe Domain query: www.gadget198.xyz
Source: C:\Windows\explorer.exe Domain query: www.intelldat.com
Source: C:\Windows\explorer.exe Network Connect: 3.96.23.237 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.helpfromjames.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.158.42 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.le-hameau-enchanteur.com
Source: C:\Windows\explorer.exe Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe Network Connect: 198.54.125.56 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 151.139.128.11 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yesrecompensas.lat
Source: C:\Windows\explorer.exe Domain query: www.henleygirlscricket.com
Source: C:\Windows\explorer.exe Network Connect: 143.95.80.65 80 Jump to behavior
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.mcclureic.xyz
Source: C:\Windows\explorer.exe DNS query: www.gadget198.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.helpfromjames.com/e8ia/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UK2NET-ASGB UK2NET-ASGB
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.123.118.150 37.123.118.150
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Thu, 25 Nov 2021 16:50:07 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
Source: TT COPY_02101011.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: TT COPY_02101011.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: www.mcclureic.xyz
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: TT COPY_02101011.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030E3
Detected potential crypto function
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00406043 0_2_00406043
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00404618 0_2_00404618
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_0040681A 0_2_0040681A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000C41B 0_2_1000C41B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10015A51 0_2_10015A51
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10014272 0_2_10014272
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10013D00 0_2_10013D00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000C90F 0_2_1000C90F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000CD27 0_2_1000CD27
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000D15C 0_2_1000D15C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000F16D 0_2_1000F16D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1001696C 0_2_1001696C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_1000D591 0_2_1000D591
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_100147E4 0_2_100147E4
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041D0EE 1_2_0041D0EE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041C154 1_2_0041C154
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00401174 1_2_00401174
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00408C90 1_2_00408C90
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00402D88 1_2_00402D88
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B620A8 1_2_00B620A8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAB090 1_2_00AAB090
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B628EC 1_2_00B628EC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51002 1_2_00B51002
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9F900 1_2_00A9F900
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B622AE 1_2_00B622AE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACEBB0 1_2_00ACEBB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5DBD2 1_2_00B5DBD2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B62B28 1_2_00B62B28
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA841F 1_2_00AA841F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5D466 1_2_00B5D466
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2581 1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAD5E0 1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B625DD 1_2_00B625DD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A90D20 1_2_00A90D20
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B62D07 1_2_00B62D07
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B61D55 1_2_00B61D55
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B62EF7 1_2_00B62EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E2B28 9_2_032E2B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324EBB0 9_2_0324EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D03DA 9_2_032D03DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DDBD2 9_2_032DDBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E22AE 9_2_032E22AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321F900 9_2_0321F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032EE824 9_2_032EE824
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D1002 9_2_032D1002
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E20A8 9_2_032E20A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322B090 9_2_0322B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E28EC 9_2_032E28EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E1FF1 9_2_032E1FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032EDFCE 9_2_032EDFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03236E30 9_2_03236E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DD616 9_2_032DD616
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E2EF7 9_2_032E2EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03210D20 9_2_03210D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E2D07 9_2_032E2D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E1D55 9_2_032E1D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242581 9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322D5E0 9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E25DD 9_2_032E25DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322841F 9_2_0322841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DD466 9_2_032DD466
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077D0EE 9_2_0077D0EE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_00768C90 9_2_00768C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_00762D90 9_2_00762D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_00762D88 9_2_00762D88
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_00762FB0 9_2_00762FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0321B150 appears 45 times
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: String function: 00A9B150 appears 34 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004185F0 NtCreateFile, 1_2_004185F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004186A0 NtReadFile, 1_2_004186A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00418720 NtClose, 1_2_00418720
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004187D0 NtAllocateVirtualMemory, 1_2_004187D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00AD98F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00AD9860
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9840 NtDelayExecution,LdrInitializeThunk, 1_2_00AD9840
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD99A0 NtCreateSection,LdrInitializeThunk, 1_2_00AD99A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00AD9910
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9A20 NtResumeThread,LdrInitializeThunk, 1_2_00AD9A20
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00AD9A00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9A50 NtCreateFile,LdrInitializeThunk, 1_2_00AD9A50
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD95D0 NtClose,LdrInitializeThunk, 1_2_00AD95D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9540 NtReadFile,LdrInitializeThunk, 1_2_00AD9540
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00AD96E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00AD9660
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00AD97A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00AD9780
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00AD9FE0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00AD9710
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD98A0 NtWriteVirtualMemory, 1_2_00AD98A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9820 NtEnumerateKey, 1_2_00AD9820
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ADB040 NtSuspendThread, 1_2_00ADB040
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD99D0 NtCreateProcessEx, 1_2_00AD99D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9950 NtQueueApcThread, 1_2_00AD9950
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9A80 NtOpenDirectoryObject, 1_2_00AD9A80
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9A10 NtQuerySection, 1_2_00AD9A10
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ADA3B0 NtGetContextThread, 1_2_00ADA3B0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9B00 NtSetValueKey, 1_2_00AD9B00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD95F0 NtQueryInformationFile, 1_2_00AD95F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9520 NtWaitForSingleObject, 1_2_00AD9520
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ADAD30 NtSetContextThread, 1_2_00ADAD30
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD9560 NtWriteFile, 1_2_00AD9560
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD96D0 NtCreateKey, 1_2_00AD96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259A50 NtCreateFile,LdrInitializeThunk, 9_2_03259A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_03259910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032599A0 NtCreateSection,LdrInitializeThunk, 9_2_032599A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_03259860
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259840 NtDelayExecution,LdrInitializeThunk, 9_2_03259840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259710 NtQueryInformationToken,LdrInitializeThunk, 9_2_03259710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259780 NtMapViewOfSection,LdrInitializeThunk, 9_2_03259780
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259FE0 NtCreateMutant,LdrInitializeThunk, 9_2_03259FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_03259660
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259650 NtQueryValueKey,LdrInitializeThunk, 9_2_03259650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032596E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_032596E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032596D0 NtCreateKey,LdrInitializeThunk, 9_2_032596D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259540 NtReadFile,LdrInitializeThunk, 9_2_03259540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032595D0 NtClose,LdrInitializeThunk, 9_2_032595D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259B00 NtSetValueKey, 9_2_03259B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325A3B0 NtGetContextThread, 9_2_0325A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259A20 NtResumeThread, 9_2_03259A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259A00 NtProtectVirtualMemory, 9_2_03259A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259A10 NtQuerySection, 9_2_03259A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259A80 NtOpenDirectoryObject, 9_2_03259A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259950 NtQueueApcThread, 9_2_03259950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032599D0 NtCreateProcessEx, 9_2_032599D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259820 NtEnumerateKey, 9_2_03259820
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325B040 NtSuspendThread, 9_2_0325B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032598A0 NtWriteVirtualMemory, 9_2_032598A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032598F0 NtReadVirtualMemory, 9_2_032598F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259730 NtQueryVirtualMemory, 9_2_03259730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325A710 NtOpenProcessToken, 9_2_0325A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259760 NtOpenProcess, 9_2_03259760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325A770 NtOpenThread, 9_2_0325A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259770 NtSetInformationFile, 9_2_03259770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032597A0 NtUnmapViewOfSection, 9_2_032597A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259610 NtEnumerateValueKey, 9_2_03259610
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259670 NtQueryInformationProcess, 9_2_03259670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259520 NtWaitForSingleObject, 9_2_03259520
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325AD30 NtSetContextThread, 9_2_0325AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03259560 NtWriteFile, 9_2_03259560
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032595F0 NtQueryInformationFile, 9_2_032595F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_007785F0 NtCreateFile, 9_2_007785F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_007786A0 NtReadFile, 9_2_007786A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_00778720 NtClose, 9_2_00778720
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_007787D0 NtAllocateVirtualMemory, 9_2_007787D0
Sample file is different than original file name gathered from version info
Source: TT COPY_02101011.exe, 00000000.00000003.679935537.0000000002B86000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000000.00000003.679172952.0000000002D1F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000001.00000002.748099738.0000000000D1F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe Virustotal: Detection: 36%
Source: TT COPY_02101011.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\TT COPY_02101011.exe File read: C:\Users\user\Desktop\TT COPY_02101011.exe Jump to behavior
Source: TT COPY_02101011.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe" Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe File created: C:\Users\user\AppData\Local\Temp\nsxA74D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/2@13/8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\TT COPY_02101011.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040411B
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:808:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_100116A5 push ecx; ret 0_2_100116B8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041C060 push edx; ret 1_2_0041C152
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041B832 push eax; ret 1_2_0041B838
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041B83B push eax; ret 1_2_0041B8A2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041B89C push eax; ret 1_2_0041B8A2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004153BE pushfd ; ret 1_2_004153C0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041551B push ecx; iretd 1_2_0041551D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_0041B7E5 push eax; ret 1_2_0041B838
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AED0D1 push ecx; ret 1_2_00AED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0326D0D1 push ecx; ret 9_2_0326D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077C060 push edx; ret 9_2_0077C152
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077B832 push eax; ret 9_2_0077B838
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077B83B push eax; ret 9_2_0077B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077B89C push eax; ret 9_2_0077B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_007753BE pushfd ; ret 9_2_007753C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077551B push ecx; iretd 9_2_0077551D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0077B7E5 push eax; ret 9_2_0077B838
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405C49

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\TT COPY_02101011.exe File created: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe" Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TT COPY_02101011.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TT COPY_02101011.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000000768614 second address: 000000000076861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000007689AE second address: 00000000007689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6084 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6328 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004088E0 rdtsc 1_2_004088E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405250
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405C22 FindFirstFileA,FindClose, 0_2_00405C22
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.725756968.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.684710887.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10013220 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_10013220
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10013220 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_10013220
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405C49
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 0_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree, 0_2_10001000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_004088E0 rdtsc 1_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD90AF mov eax, dword ptr fs:[00000030h] 1_2_00AD90AF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99080 mov eax, dword ptr fs:[00000030h] 1_2_00A99080
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h] 1_2_00B13884
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h] 1_2_00B13884
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A958EC mov eax, dword ptr fs:[00000030h] 1_2_00A958EC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h] 1_2_00B64015
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h] 1_2_00B64015
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B61074 mov eax, dword ptr fs:[00000030h] 1_2_00B61074
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B52073 mov eax, dword ptr fs:[00000030h] 1_2_00B52073
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h] 1_2_00AB0050
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h] 1_2_00AB0050
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC61A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC61A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B169A6 mov eax, dword ptr fs:[00000030h] 1_2_00B169A6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACA185 mov eax, dword ptr fs:[00000030h] 1_2_00ACA185
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABC182 mov eax, dword ptr fs:[00000030h] 1_2_00ABC182
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2990 mov eax, dword ptr fs:[00000030h] 1_2_00AC2990
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B241E8 mov eax, dword ptr fs:[00000030h] 1_2_00B241E8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB4120 mov ecx, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h] 1_2_00AC513A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h] 1_2_00AC513A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9C962 mov eax, dword ptr fs:[00000030h] 1_2_00A9C962
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h] 1_2_00A9B171
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h] 1_2_00A9B171
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h] 1_2_00ABB944
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h] 1_2_00ABB944
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AAAAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AAAAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACFAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h] 1_2_00ACD294
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h] 1_2_00ACD294
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00AC2AE4
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2ACB mov eax, dword ptr fs:[00000030h] 1_2_00AC2ACB
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AD4A2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AD4A2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA8A0A mov eax, dword ptr fs:[00000030h] 1_2_00AA8A0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B5AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B5AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB3A1C mov eax, dword ptr fs:[00000030h] 1_2_00AB3A1C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A95210 mov ecx, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A9AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A9AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h] 1_2_00B4B260
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h] 1_2_00B4B260
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B68A62 mov eax, dword ptr fs:[00000030h] 1_2_00B68A62
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD927A mov eax, dword ptr fs:[00000030h] 1_2_00AD927A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5EA55 mov eax, dword ptr fs:[00000030h] 1_2_00B5EA55
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B24257 mov eax, dword ptr fs:[00000030h] 1_2_00B24257
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B65BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B65BA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AA1B8F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AA1B8F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B4D380 mov ecx, dword ptr fs:[00000030h] 1_2_00B4D380
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2397 mov eax, dword ptr fs:[00000030h] 1_2_00AC2397
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACB390 mov eax, dword ptr fs:[00000030h] 1_2_00ACB390
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5138A mov eax, dword ptr fs:[00000030h] 1_2_00B5138A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABDBE9 mov eax, dword ptr fs:[00000030h] 1_2_00ABDBE9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h] 1_2_00B153CA
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h] 1_2_00B153CA
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5131B mov eax, dword ptr fs:[00000030h] 1_2_00B5131B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A9DB60
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AC3B7A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AC3B7A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A9DB40
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B68B58 mov eax, dword ptr fs:[00000030h] 1_2_00B68B58
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9F358 mov eax, dword ptr fs:[00000030h] 1_2_00A9F358
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA849B mov eax, dword ptr fs:[00000030h] 1_2_00AA849B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B514FB mov eax, dword ptr fs:[00000030h] 1_2_00B514FB
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B68CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B68CD6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACBC2C mov eax, dword ptr fs:[00000030h] 1_2_00ACBC2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB746D mov eax, dword ptr fs:[00000030h] 1_2_00AB746D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h] 1_2_00B2C450
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h] 1_2_00B2C450
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACA44B mov eax, dword ptr fs:[00000030h] 1_2_00ACA44B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC35A1 mov eax, dword ptr fs:[00000030h] 1_2_00AC35A1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h] 1_2_00B605AC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h] 1_2_00B605AC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ACFD9B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ACFD9B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B48DF1 mov eax, dword ptr fs:[00000030h] 1_2_00B48DF1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B68D34 mov eax, dword ptr fs:[00000030h] 1_2_00B68D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B1A537 mov eax, dword ptr fs:[00000030h] 1_2_00B1A537
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B5E539 mov eax, dword ptr fs:[00000030h] 1_2_00B5E539
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A9AD30
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h] 1_2_00ABC577
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h] 1_2_00ABC577
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD3D43 mov eax, dword ptr fs:[00000030h] 1_2_00AD3D43
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B13540 mov eax, dword ptr fs:[00000030h] 1_2_00B13540
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AB7D50 mov eax, dword ptr fs:[00000030h] 1_2_00AB7D50
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B146A7 mov eax, dword ptr fs:[00000030h] 1_2_00B146A7
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B2FE87 mov eax, dword ptr fs:[00000030h] 1_2_00B2FE87
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AA76E2 mov eax, dword ptr fs:[00000030h] 1_2_00AA76E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00AC16E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B68ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B68ED6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AC36CC mov eax, dword ptr fs:[00000030h] 1_2_00AC36CC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00AD8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00AD8EC7
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B4FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00B4FEC0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00A9E620 mov eax, dword ptr fs:[00000030h] 1_2_00A9E620
Source: C:\Users\user\Desktop\TT COPY_02101011.exe Code function: 1_2_00B4FE3F mov eax, dword ptr fs:[00000030h] 1_2_00B4FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D131B mov eax, dword ptr fs:[00000030h] 9_2_032D131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321DB60 mov ecx, dword ptr fs:[00000030h] 9_2_0321DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h] 9_2_03243B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h] 9_2_03243B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321DB40 mov eax, dword ptr fs:[00000030h] 9_2_0321DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E8B58 mov eax, dword ptr fs:[00000030h] 9_2_032E8B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321F358 mov eax, dword ptr fs:[00000030h] 9_2_0321F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h] 9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h] 9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h] 9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E5BA5 mov eax, dword ptr fs:[00000030h] 9_2_032E5BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D138A mov eax, dword ptr fs:[00000030h] 9_2_032D138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032CD380 mov ecx, dword ptr fs:[00000030h] 9_2_032CD380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h] 9_2_03221B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h] 9_2_03221B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242397 mov eax, dword ptr fs:[00000030h] 9_2_03242397
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324B390 mov eax, dword ptr fs:[00000030h] 9_2_0324B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h] 9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323DBE9 mov eax, dword ptr fs:[00000030h] 9_2_0323DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032953CA mov eax, dword ptr fs:[00000030h] 9_2_032953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032953CA mov eax, dword ptr fs:[00000030h] 9_2_032953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h] 9_2_03254A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h] 9_2_03254A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03228A0A mov eax, dword ptr fs:[00000030h] 9_2_03228A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h] 9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03215210 mov ecx, dword ptr fs:[00000030h] 9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h] 9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h] 9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h] 9_2_0321AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h] 9_2_0321AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h] 9_2_032DAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h] 9_2_032DAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03233A1C mov eax, dword ptr fs:[00000030h] 9_2_03233A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h] 9_2_032CB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h] 9_2_032CB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E8A62 mov eax, dword ptr fs:[00000030h] 9_2_032E8A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0325927A mov eax, dword ptr fs:[00000030h] 9_2_0325927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h] 9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h] 9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h] 9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h] 9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DEA55 mov eax, dword ptr fs:[00000030h] 9_2_032DEA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032A4257 mov eax, dword ptr fs:[00000030h] 9_2_032A4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h] 9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h] 9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h] 9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h] 9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h] 9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0322AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0322AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324FAB0 mov eax, dword ptr fs:[00000030h] 9_2_0324FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h] 9_2_0324D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h] 9_2_0324D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242AE4 mov eax, dword ptr fs:[00000030h] 9_2_03242AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242ACB mov eax, dword ptr fs:[00000030h] 9_2_03242ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h] 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h] 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h] 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h] 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03234120 mov ecx, dword ptr fs:[00000030h] 9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324513A mov eax, dword ptr fs:[00000030h] 9_2_0324513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324513A mov eax, dword ptr fs:[00000030h] 9_2_0324513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h] 9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h] 9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h] 9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321C962 mov eax, dword ptr fs:[00000030h] 9_2_0321C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h] 9_2_0321B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h] 9_2_0321B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h] 9_2_0323B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h] 9_2_0323B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h] 9_2_032461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h] 9_2_032461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h] 9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h] 9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h] 9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h] 9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032969A6 mov eax, dword ptr fs:[00000030h] 9_2_032969A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h] 9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h] 9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h] 9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h] 9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323C182 mov eax, dword ptr fs:[00000030h] 9_2_0323C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324A185 mov eax, dword ptr fs:[00000030h] 9_2_0324A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242990 mov eax, dword ptr fs:[00000030h] 9_2_03242990
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032A41E8 mov eax, dword ptr fs:[00000030h] 9_2_032A41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h] 9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h] 9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h] 9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h] 9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h] 9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h] 9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h] 9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h] 9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h] 9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h] 9_2_032E4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h] 9_2_032E4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h] 9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h] 9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h] 9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E1074 mov eax, dword ptr fs:[00000030h] 9_2_032E1074
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D2073 mov eax, dword ptr fs:[00000030h] 9_2_032D2073
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03230050 mov eax, dword ptr fs:[00000030h] 9_2_03230050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03230050 mov eax, dword ptr fs:[00000030h] 9_2_03230050
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h] 9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032590AF mov eax, dword ptr fs:[00000030h] 9_2_032590AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324F0BF mov ecx, dword ptr fs:[00000030h] 9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h] 9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h] 9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03219080 mov eax, dword ptr fs:[00000030h] 9_2_03219080
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03293884 mov eax, dword ptr fs:[00000030h] 9_2_03293884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03293884 mov eax, dword ptr fs:[00000030h] 9_2_03293884
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h] 9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h] 9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h] 9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032158EC mov eax, dword ptr fs:[00000030h] 9_2_032158EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov ecx, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h] 9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h] 9_2_03214F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h] 9_2_03214F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324E730 mov eax, dword ptr fs:[00000030h] 9_2_0324E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E070D mov eax, dword ptr fs:[00000030h] 9_2_032E070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E070D mov eax, dword ptr fs:[00000030h] 9_2_032E070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h] 9_2_0324A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h] 9_2_0324A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323F716 mov eax, dword ptr fs:[00000030h] 9_2_0323F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h] 9_2_032AFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h] 9_2_032AFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322FF60 mov eax, dword ptr fs:[00000030h] 9_2_0322FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E8F6A mov eax, dword ptr fs:[00000030h] 9_2_032E8F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322EF40 mov eax, dword ptr fs:[00000030h] 9_2_0322EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03228794 mov eax, dword ptr fs:[00000030h] 9_2_03228794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h] 9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h] 9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h] 9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032537F5 mov eax, dword ptr fs:[00000030h] 9_2_032537F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321E620 mov eax, dword ptr fs:[00000030h] 9_2_0321E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032CFE3F mov eax, dword ptr fs:[00000030h] 9_2_032CFE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h] 9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h] 9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h] 9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03248E00 mov eax, dword ptr fs:[00000030h] 9_2_03248E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032D1608 mov eax, dword ptr fs:[00000030h] 9_2_032D1608
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h] 9_2_0324A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h] 9_2_0324A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322766D mov eax, dword ptr fs:[00000030h] 9_2_0322766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h] 9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h] 9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h] 9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h] 9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h] 9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h] 9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h] 9_2_032DAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h] 9_2_032DAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h] 9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h] 9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h] 9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032946A7 mov eax, dword ptr fs:[00000030h] 9_2_032946A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032AFE87 mov eax, dword ptr fs:[00000030h] 9_2_032AFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032276E2 mov eax, dword ptr fs:[00000030h] 9_2_032276E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032416E0 mov ecx, dword ptr fs:[00000030h] 9_2_032416E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03258EC7 mov eax, dword ptr fs:[00000030h] 9_2_03258EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032436CC mov eax, dword ptr fs:[00000030h] 9_2_032436CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032CFEC0 mov eax, dword ptr fs:[00000030h] 9_2_032CFEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E8ED6 mov eax, dword ptr fs:[00000030h] 9_2_032E8ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0321AD30 mov eax, dword ptr fs:[00000030h] 9_2_0321AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DE539 mov eax, dword ptr fs:[00000030h] 9_2_032DE539
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h] 9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E8D34 mov eax, dword ptr fs:[00000030h] 9_2_032E8D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0329A537 mov eax, dword ptr fs:[00000030h] 9_2_0329A537
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h] 9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h] 9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h] 9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h] 9_2_0323C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h] 9_2_0323C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03253D43 mov eax, dword ptr fs:[00000030h] 9_2_03253D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03293540 mov eax, dword ptr fs:[00000030h] 9_2_03293540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032C3D40 mov eax, dword ptr fs:[00000030h] 9_2_032C3D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03237D50 mov eax, dword ptr fs:[00000030h] 9_2_03237D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h] 9_2_032E05AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h] 9_2_032E05AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032435A1 mov eax, dword ptr fs:[00000030h] 9_2_032435A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h] 9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h] 9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h] 9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h] 9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h] 9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h] 9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h] 9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h] 9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h] 9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h] 9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h] 9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h] 9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h] 9_2_0324FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h] 9_2_0324FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h] 9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h] 9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h] 9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h] 9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032C8DF1 mov eax, dword ptr fs:[00000030h] 9_2_032C8DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov ecx, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h] 9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_0324BC2C mov eax, dword ptr fs:[00000030h] 9_2_0324BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h] 9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h] 9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h] 9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h] 9_2_03296C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h] 9_2_03296C0A