Edit tour

Windows Analysis Report
hOe2JrpIAE.exe

Overview

General Information

Sample name:	hOe2JrpIAE.exe renamed because original name is a hash value
Original sample name:	f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6.exe
Analysis ID:	1466892
MD5:	21a8497522de5b8b12067fca910e0469
SHA1:	314794ef8b3b0fc2f1efc2a68e04caa0e371ff25
SHA256:	f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6
Tags:	exe
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hOe2JrpIAE.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)

hOe2JrpIAE.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)

hOe2JrpIAE.exe (PID: 3524 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)

hOe2JrpIAE.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)

hOe2JrpIAE.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

netsh.exe (PID: 5712 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 3580 cmdline: /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tires-book-robust.bond/cn26/"], "decoy": ["ajtsistemas.com", "kolotylo.info", "mraofficial.store", "shopcupsareus.com", "odishastatenews.in", "yipicircle.life", "bryve.shop", "tempotrekstore.com", "casinoslotsjoint.com", "xiaoshuoxyz.com", "art-birdsflyinghigh.com", "odvip438.com", "verlatservicios.com", "bilocoin.world", "lamaisonfacile.com", "guojiang-v37.xyz", "shsredgpoufnds.net", "thequorumcompany.com", "qf4h1tcpmgxor7b.skin", "daisyjoanniezu.cyou", "r41opxw1076r.shop", "scientificmetalscorp.co", "shopusuniform.com", "j0mui3.shop", "halqiuststone.com", "hasenkamp.dev", "549965.autos", "nadarrawellness.com", "31artspace.com", "americanidolizing.com", "vacaychateau.com", "c377b2xq.shop", "essere.love", "e2olyiab.shop", "skechersshoes-cz.com", "laurabodyboost.com", "laser-skin-treatment-19799.bond", "theburnscleanteam.com", "tiensbangladesh.net", "sothana.top", "hillingpowerhouse.com", "kingelecpos.com", "xn--y3rqw57i.com", "foton.africa", "emergencyresponsemd.com", "0pjke0.vip", "keepitkoming.shop", "lamyahkalimi.com", "dehamobilya.com", "pornerbros.top", "happyjumps.co", "pool-repair-35063.bond", "thepassionpact.shop", "elroi-mexico.com", "xztyvk.xyz", "origenworld.com", "licstarmfprabakar.com", "asfaua.com", "zenvip.club", "seo-andorra.com", "cgffwelcome.com", "sswpdx.com", "7jtsyx.pw", "australiangamesgroup.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0x9d2:$a2: pass 0x9d8:$a3: email 0x9df:$a4: login 0x9e6:$a5: signin 0x9f7:$a6: persistent 0xbca:$r1: C:\Users\user\AppData\Roaming\J359ODB6\J35log.ini
00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7ffb9:$a1: 3C 30 50 4F 53 54 74 09 40 0xae3d9:$a1: 3C 30 50 4F 53 54 74 09 40 0xdb7f9:$a1: 3C 30 50 4F 53 54 74 09 40 0x96928:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc4d48:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf2168:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x84737:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb2b57:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xdff77:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8f61f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbda3f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xeae5f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83670:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x838ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1a90:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1d0a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdeeb0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdf12a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f41d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbd83d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xeac5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8ef09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbd329:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xea749:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8f51f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbd93f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xead5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f697:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbdab7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xeaed7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x84302:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb2722:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xdfb42:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x925b1:$sqlite3step: 68 34 1C 7B E1 0x926c4:$sqlite3step: 68 34 1C 7B E1 0xc09d1:$sqlite3step: 68 34 1C 7B E1 0xc0ae4:$sqlite3step: 68 34 1C 7B E1 0xeddf1:$sqlite3step: 68 34 1C 7B E1 0xedf04:$sqlite3step: 68 34 1C 7B E1 0x925e0:$sqlite3text: 68 38 2A 90 C5 0x92705:$sqlite3text: 68 38 2A 90 C5 0xc0a00:$sqlite3text: 68 38 2A 90 C5 0xc0b25:$sqlite3text: 68 38 2A 90 C5 0xede20:$sqlite3text: 68 38 2A 90 C5 0xedf45:$sqlite3text: 68 38 2A 90 C5 0x925f3:$sqlite3blob: 68 53 D8 7F 8C 0x9271b:$sqlite3blob: 68 53 D8 7F 8C 0xc0a13:$sqlite3blob: 68 53 D8 7F 8C 0xc0b3b:$sqlite3blob: 68 53 D8 7F 8C 0xede33:$sqlite3blob: 68 53 D8 7F 8C 0xedf5b:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: hOe2JrpIAE.exe PID: 4952	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3bf20:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: hOe2JrpIAE.exe PID: 2796	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6caa6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: netsh.exe PID: 5712	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5f12:$a1: 3C 30 50 4F 53 54 74 09 40 0x1374dc:$a1: 3C 30 50 4F 53 54 74 09 40 0x17c824:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hOe2JrpIAE.exe.3f99970.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.7140000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.5b50000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.hOe2JrpIAE.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.hOe2JrpIAE.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.340bcdc.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.33e7f58.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.2fc84c8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.hOe2JrpIAE.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.hOe2JrpIAE.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.hOe2JrpIAE.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.hOe2JrpIAE.exe.340acc4.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 16 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 199.59.243.226

Timestamp:	07/03/24-14:51:07.057746
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 52.60.87.163

Timestamp:	07/03/24-14:53:09.934739
SID:	2031412
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.92.194.225

Timestamp:	07/03/24-14:53:30.424657
SID:	2031412
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	07/03/24-14:53:50.846445
SID:	2031412
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 34.149.87.45

Timestamp:	07/03/24-14:52:08.288538
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 14.128.41.165

Timestamp:	07/03/24-14:51:27.802913
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	07/03/24-14:52:28.804978
SID:	2031412
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.5 - Destination IP: 162.244.93.3

Timestamp:	07/03/24-14:50:47.686112
SID:	2031412
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hOe2JrpIAE.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.tires-book-robust.bond/cn26/www.foton.africa	Avira URL Cloud: Label: malware
Source: http://www.tires-book-robust.bond/cn26/	Avira URL Cloud: Label: malware
Source: www.tires-book-robust.bond/cn26/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.tires-book-robust.bond/cn26/"], "decoy": ["ajtsistemas.com", "kolotylo.info", "mraofficial.store", "shopcupsareus.com", "odishastatenews.in", "yipicircle.life", "bryve.shop", "tempotrekstore.com", "casinoslotsjoint.com", "xiaoshuoxyz.com", "art-birdsflyinghigh.com", "odvip438.com", "verlatservicios.com", "bilocoin.world", "lamaisonfacile.com", "guojiang-v37.xyz", "shsredgpoufnds.net", "thequorumcompany.com", "qf4h1tcpmgxor7b.skin", "daisyjoanniezu.cyou", "r41opxw1076r.shop", "scientificmetalscorp.co", "shopusuniform.com", "j0mui3.shop", "halqiuststone.com", "hasenkamp.dev", "549965.autos", "nadarrawellness.com", "31artspace.com", "americanidolizing.com", "vacaychateau.com", "c377b2xq.shop", "essere.love", "e2olyiab.shop", "skechersshoes-cz.com", "laurabodyboost.com", "laser-skin-treatment-19799.bond", "theburnscleanteam.com", "tiensbangladesh.net", "sothana.top", "hillingpowerhouse.com", "kingelecpos.com", "xn--y3rqw57i.com", "foton.africa", "emergencyresponsemd.com", "0pjke0.vip", "keepitkoming.shop", "lamyahkalimi.com", "dehamobilya.com", "pornerbros.top", "happyjumps.co", "pool-repair-35063.bond", "thepassionpact.shop", "elroi-mexico.com", "xztyvk.xyz", "origenworld.com", "licstarmfprabakar.com", "asfaua.com", "zenvip.club", "seo-andorra.com", "cgffwelcome.com", "sswpdx.com", "7jtsyx.pw", "australiangamesgroup.com"]}

Multi AV Scanner detection for submitted file

Source: hOe2JrpIAE.exe

ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hOe2JrpIAE.exe

Joe Sandbox ML: detected

Source: hOe2JrpIAE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hOe2JrpIAE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: XUhH.pdb source: hOe2JrpIAE.exe
Source:	Binary string: XUhH.pdbSHA256 source: hOe2JrpIAE.exe
Source:	Binary string: netsh.pdb source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hOe2JrpIAE.exe, hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 4x nop then pop edi	6_2_00417D7F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 4x nop then pop edi	6_2_00417DCA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	8_2_030C7D7F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	8_2_030C7DCA

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 162.244.93.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 199.59.243.226:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 14.128.41.165:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49722 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49723 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49724 -> 52.60.87.163:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 34.92.194.225:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 3.33.130.190:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.226 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.244.93.3 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.tires-book-robust.bond/cn26/

Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb HTTP/1.1Host: www.tiensbangladesh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb HTTP/1.1Host: www.shopusuniform.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb HTTP/1.1Host: www.j0mui3.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb HTTP/1.1Host: www.dehamobilya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb HTTP/1.1Host: www.happyjumps.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb HTTP/1.1Host: www.yipicircle.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.59.243.226 199.59.243.226
Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45
Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45

Source: Joe Sandbox View	ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
Source: Joe Sandbox View	ASN Name: PONYNETUS PONYNETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_0E4DAF82 getaddrinfo,setsockopt,recv,

7_2_0E4DAF82

Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb HTTP/1.1Host: www.tiensbangladesh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb HTTP/1.1Host: www.shopusuniform.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb HTTP/1.1Host: www.j0mui3.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb HTTP/1.1Host: www.dehamobilya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb HTTP/1.1Host: www.happyjumps.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb HTTP/1.1Host: www.yipicircle.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.theburnscleanteam.com
Source: global traffic	DNS traffic detected: DNS query: www.tiensbangladesh.net
Source: global traffic	DNS traffic detected: DNS query: www.shopusuniform.com
Source: global traffic	DNS traffic detected: DNS query: www.j0mui3.shop
Source: global traffic	DNS traffic detected: DNS query: www.cgffwelcome.com
Source: global traffic	DNS traffic detected: DNS query: www.dehamobilya.com
Source: global traffic	DNS traffic detected: DNS query: www.happyjumps.co
Source: global traffic	DNS traffic detected: DNS query: www.tires-book-robust.bond
Source: global traffic	DNS traffic detected: DNS query: www.foton.africa
Source: global traffic	DNS traffic detected: DNS query: www.e2olyiab.shop
Source: global traffic	DNS traffic detected: DNS query: www.yipicircle.life
Source: global traffic	DNS traffic detected: DNS query: www.tempotrekstore.com

Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: hOe2JrpIAE.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: hOe2JrpIAE.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 00000007.00000000.2007072938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: hOe2JrpIAE.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000000.2010237532.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4446456942.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2009741979.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: hOe2JrpIAE.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajtsistemas.com
Source: explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajtsistemas.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajtsistemas.comReferer:
Source: explorer.exe, 00000007.00000003.3777555916.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.
Source: explorer.exe, 00000007.00000000.2013207443.000000000C8DD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.A
Source: explorer.exe, 00000007.00000003.3098535056.000000000C8DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096521466.000000000C8DD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.B
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cgffwelcome.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cgffwelcome.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cgffwelcome.com/cn26/www.dehamobilya.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cgffwelcome.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dehamobilya.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dehamobilya.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dehamobilya.com/cn26/www.happyjumps.co
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dehamobilya.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e2olyiab.shop
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e2olyiab.shop/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e2olyiab.shop/cn26/www.yipicircle.life
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.e2olyiab.shopReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foton.africa
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foton.africa/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foton.africa/cn26/www.e2olyiab.shop
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foton.africaReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.happyjumps.co
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.happyjumps.co/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.happyjumps.co/cn26/www.tires-book-robust.bond
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.happyjumps.coReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j0mui3.shop
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j0mui3.shop/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j0mui3.shop/cn26/www.cgffwelcome.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j0mui3.shopReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scientificmetalscorp.co
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scientificmetalscorp.co/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scientificmetalscorp.co/cn26/www.ajtsistemas.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scientificmetalscorp.coReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shopusuniform.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shopusuniform.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shopusuniform.com/cn26/www.j0mui3.shop
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shopusuniform.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sswpdx.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sswpdx.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sswpdx.com/cn26/www.scientificmetalscorp.co
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sswpdx.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tempotrekstore.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tempotrekstore.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tempotrekstore.com/cn26/www.xztyvk.xyz
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tempotrekstore.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theburnscleanteam.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theburnscleanteam.com/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theburnscleanteam.com/cn26/www.tiensbangladesh.net
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.theburnscleanteam.comReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiensbangladesh.net
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiensbangladesh.net/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiensbangladesh.net/cn26/www.shopusuniform.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tiensbangladesh.netReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tires-book-robust.bond
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tires-book-robust.bond/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tires-book-robust.bond/cn26/www.foton.africa
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tires-book-robust.bondReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyz/cn26/www.sswpdx.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xztyvk.xyzReferer:
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yipicircle.life
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yipicircle.life/cn26/
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yipicircle.life/cn26/www.tempotrekstore.com
Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yipicircle.lifeReferer:
Source: explorer.exe, 00000007.00000003.3098637821.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4451078883.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2012740355.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000000.2009042834.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.4446934807.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.4444797028.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2009042834.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000003.3094915197.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2007823850.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4443539368.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000007.00000003.3099099836.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000003.3777677954.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3098080000.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447809365.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.2012740355.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4450786934.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: hOe2JrpIAE.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 00000007.00000002.4453541198.0000000010E2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4443371821.00000000046CF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: hOe2JrpIAE.exe PID: 4952, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hOe2JrpIAE.exe PID: 2796, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 5712, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041A360 NtCreateFile,	6_2_0041A360
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041A410 NtReadFile,	6_2_0041A410
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041A490 NtClose,	6_2_0041A490
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041A540 NtAllocateVirtualMemory,	6_2_0041A540
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041A40E NtReadFile,	6_2_0041A40E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182B60 NtClose,LdrInitializeThunk,	6_2_01182B60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01182BF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182AD0 NtReadFile,LdrInitializeThunk,	6_2_01182AD0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01182D10
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01182D30
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01182DD0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01182DF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01182C70
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01182CA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182F30 NtCreateSection,LdrInitializeThunk,	6_2_01182F30
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01182F90
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182FB0 NtResumeThread,LdrInitializeThunk,	6_2_01182FB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182FE0 NtCreateFile,LdrInitializeThunk,	6_2_01182FE0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01182E80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01182EA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01184340 NtSetContextThread,	6_2_01184340
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01184650 NtSuspendThread,	6_2_01184650
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182B80 NtQueryInformationFile,	6_2_01182B80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182BA0 NtEnumerateValueKey,	6_2_01182BA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182BE0 NtQueryValueKey,	6_2_01182BE0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182AB0 NtWaitForSingleObject,	6_2_01182AB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182AF0 NtWriteFile,	6_2_01182AF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182D00 NtSetInformationFile,	6_2_01182D00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182DB0 NtEnumerateKey,	6_2_01182DB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182C00 NtQueryInformationProcess,	6_2_01182C00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182C60 NtCreateKey,	6_2_01182C60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182CC0 NtQueryVirtualMemory,	6_2_01182CC0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182CF0 NtOpenProcess,	6_2_01182CF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182F60 NtCreateProcessEx,	6_2_01182F60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182FA0 NtQuerySection,	6_2_01182FA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182E30 NtWriteVirtualMemory,	6_2_01182E30
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182EE0 NtQueueApcThread,	6_2_01182EE0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01183010 NtOpenDirectoryObject,	6_2_01183010
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01183090 NtSetValueKey,	6_2_01183090
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011835C0 NtCreateMutant,	6_2_011835C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011839B0 NtGetContextThread,	6_2_011839B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01183D10 NtOpenProcessToken,	6_2_01183D10
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01183D70 NtOpenThread,	6_2_01183D70
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DBE12 NtProtectVirtualMemory,	7_2_0E4DBE12
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DA232 NtCreateFile,	7_2_0E4DA232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DBE0A NtProtectVirtualMemory,	7_2_0E4DBE0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02B60 NtClose,LdrInitializeThunk,	8_2_03D02B60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02AD0 NtReadFile,LdrInitializeThunk,	8_2_03D02AD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02FE0 NtCreateFile,LdrInitializeThunk,	8_2_03D02FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02F30 NtCreateSection,LdrInitializeThunk,	8_2_03D02F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_03D02EA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02DD0 NtDelayExecution,LdrInitializeThunk,	8_2_03D02DD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_03D02DF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_03D02D10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_03D02CA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_03D02C70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02C60 NtCreateKey,LdrInitializeThunk,	8_2_03D02C60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D035C0 NtCreateMutant,LdrInitializeThunk,	8_2_03D035C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D04340 NtSetContextThread,	8_2_03D04340
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D04650 NtSuspendThread,	8_2_03D04650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02BF0 NtAllocateVirtualMemory,	8_2_03D02BF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02BE0 NtQueryValueKey,	8_2_03D02BE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02B80 NtQueryInformationFile,	8_2_03D02B80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02BA0 NtEnumerateValueKey,	8_2_03D02BA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02AF0 NtWriteFile,	8_2_03D02AF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02AB0 NtWaitForSingleObject,	8_2_03D02AB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02F90 NtProtectVirtualMemory,	8_2_03D02F90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02FB0 NtResumeThread,	8_2_03D02FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02FA0 NtQuerySection,	8_2_03D02FA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02F60 NtCreateProcessEx,	8_2_03D02F60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02EE0 NtQueueApcThread,	8_2_03D02EE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02E80 NtReadVirtualMemory,	8_2_03D02E80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02E30 NtWriteVirtualMemory,	8_2_03D02E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02DB0 NtEnumerateKey,	8_2_03D02DB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02D00 NtSetInformationFile,	8_2_03D02D00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02D30 NtUnmapViewOfSection,	8_2_03D02D30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02CC0 NtQueryVirtualMemory,	8_2_03D02CC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02CF0 NtOpenProcess,	8_2_03D02CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D02C00 NtQueryInformationProcess,	8_2_03D02C00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D03090 NtSetValueKey,	8_2_03D03090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D03010 NtOpenDirectoryObject,	8_2_03D03010
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D039B0 NtGetContextThread,	8_2_03D039B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D03D70 NtOpenThread,	8_2_03D03D70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D03D10 NtOpenProcessToken,	8_2_03D03D10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CA360 NtCreateFile,	8_2_030CA360
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CA410 NtReadFile,	8_2_030CA410
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CA490 NtClose,	8_2_030CA490
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CA40E NtReadFile,	8_2_030CA40E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_03AD9BAF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03ADA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	8_2_03ADA036
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_03AD9BB2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03ADA042 NtQueryInformationProcess,	8_2_03ADA042

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_02F77688	0_2_02F77688
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_02F70040	0_2_02F70040
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_02F77678	0_2_02F77678
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_02F70A00	0_2_02F70A00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_02F709F0	0_2_02F709F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0502211C	0_2_0502211C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_05020040	0_2_05020040
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_05020006	0_2_05020006
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BA230	0_2_055BA230
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BE460	0_2_055BE460
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BA21F	0_2_055BA21F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055B92C8	0_2_055B92C8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055B92B8	0_2_055B92B8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BECD0	0_2_055BECD0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BE898	0_2_055BE898
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0725D6B8	0_2_0725D6B8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_072569B0	0_2_072569B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07250037	0_2_07250037
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0725E068	0_2_0725E068
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07250040	0_2_07250040
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0725D0D0	0_2_0725D0D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0729BC28	0_2_0729BC28
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0729C0C8	0_2_0729C0C8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07296A00	0_2_07296A00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07290007	0_2_07290007
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_0729A848	0_2_0729A848
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07290040	0_2_07290040
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041E891	6_2_0041E891
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041E1AF	6_2_0041E1AF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00401208	6_2_00401208
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041DBB6	6_2_0041DBB6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00409E5B	6_2_00409E5B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041DED8	6_2_0041DED8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041DFDF	6_2_0041DFDF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041D78F	6_2_0041D78F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EA118	6_2_011EA118
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140100	6_2_01140100
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D8158	6_2_011D8158
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012041A2	6_2_012041A2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012101AA	6_2_012101AA
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012081CC	6_2_012081CC
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120A352	6_2_0120A352
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012103E6	6_2_012103E6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E3F0	6_2_0115E3F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D02C0	6_2_011D02C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01210591	6_2_01210591
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F4420	6_2_011F4420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01202446	6_2_01202446
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FE4F6	6_2_011FE4F6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01174750	6_2_01174750
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114C7C0	6_2_0114C7C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116C6E0	6_2_0116C6E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01166962	6_2_01166962
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0121A9A6	6_2_0121A9A6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01152840	6_2_01152840
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115A840	6_2_0115A840
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011368B8	6_2_011368B8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E8F0	6_2_0117E8F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120AB40	6_2_0120AB40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01206BD7	6_2_01206BD7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011ECD1F	6_2_011ECD1F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115AD00	6_2_0115AD00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01168DBF	6_2_01168DBF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114ADE0	6_2_0114ADE0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150C00	6_2_01150C00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0CB5	6_2_011F0CB5
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140CF2	6_2_01140CF2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01170F30	6_2_01170F30
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F2F30	6_2_011F2F30
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01192F28	6_2_01192F28
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C4F40	6_2_011C4F40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CEFA0	6_2_011CEFA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01142FC8	6_2_01142FC8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115CFE0	6_2_0115CFE0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120EE26	6_2_0120EE26
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150E59	6_2_01150E59
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162E90	6_2_01162E90
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120CE93	6_2_0120CE93
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120EEDB	6_2_0120EEDB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0121B16B	6_2_0121B16B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113F172	6_2_0113F172
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0118516C	6_2_0118516C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115B1B0	6_2_0115B1B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120F0E0	6_2_0120F0E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012070E9	6_2_012070E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FF0CC	6_2_011FF0CC
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011570C0	6_2_011570C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120132D	6_2_0120132D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113D34C	6_2_0113D34C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0119739A	6_2_0119739A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011552A0	6_2_011552A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116B2C0	6_2_0116B2C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F12ED	6_2_011F12ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01207571	6_2_01207571
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011ED5B0	6_2_011ED5B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012195C3	6_2_012195C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120F43F	6_2_0120F43F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01141460	6_2_01141460
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120F7B0	6_2_0120F7B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01195630	6_2_01195630
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012016CC	6_2_012016CC
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E5910	6_2_011E5910
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01159950	6_2_01159950
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116B950	6_2_0116B950
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BD800	6_2_011BD800
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011538E0	6_2_011538E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120FB76	6_2_0120FB76
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116FB80	6_2_0116FB80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0118DBF9	6_2_0118DBF9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C5BF0	6_2_011C5BF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01207A46	6_2_01207A46
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120FA49	6_2_0120FA49
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C3A6C	6_2_011C3A6C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EDAAC	6_2_011EDAAC
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01195AA0	6_2_01195AA0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F1AA3	6_2_011F1AA3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FDAC6	6_2_011FDAC6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01207D73	6_2_01207D73
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01153D40	6_2_01153D40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01201D5A	6_2_01201D5A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116FDC0	6_2_0116FDC0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C9C32	6_2_011C9C32
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120FCF2	6_2_0120FCF2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120FF09	6_2_0120FF09
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01151F92	6_2_01151F92
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120FFB1	6_2_0120FFB1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01159EB0	6_2_01159EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DA232	7_2_0E4DA232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D9036	7_2_0E4D9036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D0082	7_2_0E4D0082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D1D02	7_2_0E4D1D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D7912	7_2_0E4D7912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D4B30	7_2_0E4D4B30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4D4B32	7_2_0E4D4B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DD5CD	7_2_0E4DD5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10616036	7_2_10616036
Source: C:\Windows\explorer.exe	Code function: 7_2_1060D082	7_2_1060D082
Source: C:\Windows\explorer.exe	Code function: 7_2_1060ED02	7_2_1060ED02
Source: C:\Windows\explorer.exe	Code function: 7_2_10614912	7_2_10614912
Source: C:\Windows\explorer.exe	Code function: 7_2_1061A5CD	7_2_1061A5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10617232	7_2_10617232
Source: C:\Windows\explorer.exe	Code function: 7_2_10611B30	7_2_10611B30
Source: C:\Windows\explorer.exe	Code function: 7_2_10611B32	7_2_10611B32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_01085EB0	8_2_01085EB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CDE3F0	8_2_03CDE3F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D903E6	8_2_03D903E6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8A352	8_2_03D8A352
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D502C0	8_2_03D502C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D70274	8_2_03D70274
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D881CC	8_2_03D881CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D901AA	8_2_03D901AA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D841A2	8_2_03D841A2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D58158	8_2_03D58158
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CC0100	8_2_03CC0100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D6A118	8_2_03D6A118
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D62000	8_2_03D62000
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CCC7C0	8_2_03CCC7C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CF4750	8_2_03CF4750
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD0770	8_2_03CD0770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CEC6E0	8_2_03CEC6E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D90591	8_2_03D90591
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD0535	8_2_03CD0535
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D7E4F6	8_2_03D7E4F6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D82446	8_2_03D82446
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D74420	8_2_03D74420
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D86BD7	8_2_03D86BD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8AB40	8_2_03D8AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CCEA80	8_2_03CCEA80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD29A0	8_2_03CD29A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D9A9A6	8_2_03D9A9A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CE6962	8_2_03CE6962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CFE8F0	8_2_03CFE8F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CB68B8	8_2_03CB68B8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD2840	8_2_03CD2840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CDA840	8_2_03CDA840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CC2FC8	8_2_03CC2FC8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CDCFE0	8_2_03CDCFE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D4EFA0	8_2_03D4EFA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D44F40	8_2_03D44F40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D72F30	8_2_03D72F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D12F28	8_2_03D12F28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CF0F30	8_2_03CF0F30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8EEDB	8_2_03D8EEDB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8CE93	8_2_03D8CE93
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CE2E90	8_2_03CE2E90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD0E59	8_2_03CD0E59
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8EE26	8_2_03D8EE26
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CCADE0	8_2_03CCADE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CE8DBF	8_2_03CE8DBF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D6CD1F	8_2_03D6CD1F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CDAD00	8_2_03CDAD00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CC0CF2	8_2_03CC0CF2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D70CB5	8_2_03D70CB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD0C00	8_2_03CD0C00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D1739A	8_2_03D1739A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CBD34C	8_2_03CBD34C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8132D	8_2_03D8132D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CEB2C0	8_2_03CEB2C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D712ED	8_2_03D712ED
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD52A0	8_2_03CD52A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CDB1B0	8_2_03CDB1B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D9B16B	8_2_03D9B16B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CBF172	8_2_03CBF172
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D0516C	8_2_03D0516C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD70C0	8_2_03CD70C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D7F0CC	8_2_03D7F0CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D870E9	8_2_03D870E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8F0E0	8_2_03D8F0E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8F7B0	8_2_03D8F7B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D816CC	8_2_03D816CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D15630	8_2_03D15630
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D995C3	8_2_03D995C3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D6D5B0	8_2_03D6D5B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D87571	8_2_03D87571
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CC1460	8_2_03CC1460
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8F43F	8_2_03D8F43F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D45BF0	8_2_03D45BF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D0DBF9	8_2_03D0DBF9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CEFB80	8_2_03CEFB80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8FB76	8_2_03D8FB76
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D7DAC6	8_2_03D7DAC6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D15AA0	8_2_03D15AA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D71AA3	8_2_03D71AA3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D6DAAC	8_2_03D6DAAC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8FA49	8_2_03D8FA49
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D87A46	8_2_03D87A46
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D43A6C	8_2_03D43A6C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD9950	8_2_03CD9950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CEB950	8_2_03CEB950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D65910	8_2_03D65910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD38E0	8_2_03CD38E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D3D800	8_2_03D3D800
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03C93FD2	8_2_03C93FD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03C93FD5	8_2_03C93FD5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD1F92	8_2_03CD1F92
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8FFB1	8_2_03D8FFB1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8FF09	8_2_03D8FF09
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD9EB0	8_2_03CD9EB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CEFDC0	8_2_03CEFDC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D81D5A	8_2_03D81D5A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CD3D40	8_2_03CD3D40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D87D73	8_2_03D87D73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D8FCF2	8_2_03D8FCF2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03D49C32	8_2_03D49C32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CE1AD	8_2_030CE1AD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CD78F	8_2_030CD78F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CE891	8_2_030CE891
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030B2FB0	8_2_030B2FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030B9E5B	8_2_030B9E5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030B9E60	8_2_030B9E60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030B2D87	8_2_030B2D87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030B2D90	8_2_030B2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03ADA036	8_2_03ADA036
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD5B30	8_2_03AD5B30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD5B32	8_2_03AD5B32
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03ADB232	8_2_03ADB232
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD8912	8_2_03AD8912
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD1082	8_2_03AD1082
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03ADE5CD	8_2_03ADE5CD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03AD2D02	8_2_03AD2D02

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: String function: 011BEA12 appears 86 times
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: String function: 01197E54 appears 111 times
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: String function: 0113B970 appears 280 times
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: String function: 011CF290 appears 105 times
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: String function: 01185130 appears 58 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 03D17E54 appears 111 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 03D3EA12 appears 86 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 03CBB970 appears 280 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 03D4F290 appears 105 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 03D05130 appears 58 times

Source: hOe2JrpIAE.exe

Static PE information: invalid certificate

Source: hOe2JrpIAE.exe, 00000000.00000002.2007654678.0000000007420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000000.00000002.2004466042.00000000011AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000000.00000000.1983396250.0000000000BA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXUhH.exeX vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000006.00000002.2052100186.000000000147C000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.000000000123D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hOe2JrpIAE.exe
Source: hOe2JrpIAE.exe	Binary or memory string: OriginalFilenameXUhH.exeX vs hOe2JrpIAE.exe

Source: hOe2JrpIAE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: hOe2JrpIAE.exe PID: 4952, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hOe2JrpIAE.exe PID: 2796, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 5712, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: hOe2JrpIAE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/1@12/5

Source: C:\Windows\SysWOW64\netsh.exe

Code function: 8_2_01087F40 DisplayMessageM,FormatMessageW,GetLastError,GetStdHandle,LocalFree,

8_2_01087F40

Source: C:\Windows\SysWOW64\netsh.exe

Code function: 8_2_01088D48 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysAllocString,SysAllocString,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,

8_2_01088D48

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hOe2JrpIAE.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03

Source: hOe2JrpIAE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hOe2JrpIAE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hOe2JrpIAE.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hOe2JrpIAE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hOe2JrpIAE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hOe2JrpIAE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: XUhH.pdb source: hOe2JrpIAE.exe
Source:	Binary string: XUhH.pdbSHA256 source: hOe2JrpIAE.exe
Source:	Binary string: netsh.pdb source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hOe2JrpIAE.exe, hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: hOe2JrpIAE.exe, Main_Panel.cs	.Net Code: InitializeComponent
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs	.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs	.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs	.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
Source: 7.2.explorer.exe.1093f840.0.raw.unpack, Main_Panel.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_055BB678 pushad ; ret	0_2_055BB679
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07253262 push es; iretd	0_2_07253265
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07292B5F pushfd ; ret	0_2_07292B60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_07292C15 pushfd ; ret	0_2_07292C17
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 0_2_072948D2 push 0000007Fh; ret	0_2_072948D4
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041406A push edx; ret	6_2_0041406F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_00417B13 push ebp; iretd	6_2_00417B1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041B387 pushad ; ret	6_2_0041B388
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041D4B5 push eax; ret	6_2_0041D508
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041D56C push eax; ret	6_2_0041D572
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041D502 push eax; ret	6_2_0041D508
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041D50B push eax; ret	6_2_0041D572
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0041664B push ds; ret	6_2_00416661
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0111225F pushad ; ret	6_2_011127F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011127FA pushad ; ret	6_2_011127F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011409AD push ecx; mov dword ptr [esp], ecx	6_2_011409B6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0111283D push eax; iretd	6_2_01112858
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DDB02 push esp; retn 0000h	7_2_0E4DDB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DDB1E push esp; retn 0000h	7_2_0E4DDB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E4DD9B5 push esp; retn 0000h	7_2_0E4DDAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_1061A9B5 push esp; retn 0000h	7_2_1061AAE7
Source: C:\Windows\explorer.exe	Code function: 7_2_1061AB02 push esp; retn 0000h	7_2_1061AB03
Source: C:\Windows\explorer.exe	Code function: 7_2_1061AB1E push esp; retn 0000h	7_2_1061AB1F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_01089C4D push ecx; ret	8_2_01089C60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03C9225F pushad ; ret	8_2_03C927F9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03C927FA pushad ; ret	8_2_03C927F9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03CC09AD push ecx; mov dword ptr [esp], ecx	8_2_03CC09B6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_03C9283D push eax; iretd	8_2_03C92858
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030CB387 pushad ; ret	8_2_030CB388
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030C406A push edx; ret	8_2_030C406F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_030C664B push ds; ret	8_2_030C6661

Source: hOe2JrpIAE.exe

Static PE information: section name: .text entropy: 7.965298829702422

Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.cs	High entropy of concatenated method names: 'eX9', 'RgtTUJcyZL', 'XXu', 'IXK', 'qX0', 'zXZ', 'Uvdq5j', 'yw', 'Os', 'Bx'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, gSYEfxJ3mWb53dtiApw.cs	High entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, uWJe8fBUSmndOswZA9.cs	High entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, GpOKynzXxAx0mhsKjJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jKBZbCDWTWf77lE54J.cs	High entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, w6kQefL8m0YoHQx3Me.cs	High entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, fqUPcmS4qlWLbVU0Mm.cs	High entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, tUoopq5N8vkUC0wdsi.cs	High entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, mP2gWpWeNb4y9k4ghF.cs	High entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Jjt1fo1sfRiO1974xp.cs	High entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, T7ThVMJytj6r8Jm6bx6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, RRfZn892i9PnkChBY8.cs	High entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, pHJXoU8MHljljU27Z9.cs	High entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, fG424W48tRQhx3CopQ.cs	High entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, TRDyijQaiyiZRTkxOq.cs	High entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Gsdn3QgKGuj3ABI1L9.cs	High entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs	High entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Qri0x7syuiRNrevCve.cs	High entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, tvOcrl3eIFMEK0gRcO.cs	High entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, rsRPv9JO8iJZ0C7ddKS.cs	High entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, vHjLiUmOYvJOUgmPGm.cs	High entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	High entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, nx1Pfh21Wu3GVp1PSa.cs	High entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.cs	High entropy of concatenated method names: 'eX9', 'RgtTUJcyZL', 'XXu', 'IXK', 'qX0', 'zXZ', 'Uvdq5j', 'yw', 'Os', 'Bx'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, gSYEfxJ3mWb53dtiApw.cs	High entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, uWJe8fBUSmndOswZA9.cs	High entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, GpOKynzXxAx0mhsKjJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jKBZbCDWTWf77lE54J.cs	High entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, w6kQefL8m0YoHQx3Me.cs	High entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, fqUPcmS4qlWLbVU0Mm.cs	High entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, tUoopq5N8vkUC0wdsi.cs	High entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, mP2gWpWeNb4y9k4ghF.cs	High entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Jjt1fo1sfRiO1974xp.cs	High entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, T7ThVMJytj6r8Jm6bx6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, RRfZn892i9PnkChBY8.cs	High entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, pHJXoU8MHljljU27Z9.cs	High entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, fG424W48tRQhx3CopQ.cs	High entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, TRDyijQaiyiZRTkxOq.cs	High entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Gsdn3QgKGuj3ABI1L9.cs	High entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs	High entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Qri0x7syuiRNrevCve.cs	High entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, tvOcrl3eIFMEK0gRcO.cs	High entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, rsRPv9JO8iJZ0C7ddKS.cs	High entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, vHjLiUmOYvJOUgmPGm.cs	High entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	High entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, nx1Pfh21Wu3GVp1PSa.cs	High entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, gSYEfxJ3mWb53dtiApw.cs	High entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, uWJe8fBUSmndOswZA9.cs	High entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, GpOKynzXxAx0mhsKjJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jKBZbCDWTWf77lE54J.cs	High entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, w6kQefL8m0YoHQx3Me.cs	High entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, fqUPcmS4qlWLbVU0Mm.cs	High entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, tUoopq5N8vkUC0wdsi.cs	High entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, mP2gWpWeNb4y9k4ghF.cs	High entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Jjt1fo1sfRiO1974xp.cs	High entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, T7ThVMJytj6r8Jm6bx6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, RRfZn892i9PnkChBY8.cs	High entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, pHJXoU8MHljljU27Z9.cs	High entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, fG424W48tRQhx3CopQ.cs	High entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, TRDyijQaiyiZRTkxOq.cs	High entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Gsdn3QgKGuj3ABI1L9.cs	High entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs	High entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Qri0x7syuiRNrevCve.cs	High entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, tvOcrl3eIFMEK0gRcO.cs	High entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, rsRPv9JO8iJZ0C7ddKS.cs	High entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, vHjLiUmOYvJOUgmPGm.cs	High entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jLW4CR6YqLFnTWAfMo.cs	High entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, nx1Pfh21Wu3GVp1PSa.cs	High entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\netsh.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 30B9904 second address: 30B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 30B9B7E second address: 30B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 4F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 7C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 8C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3135	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6805	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Window / User API: threadDelayed 9799	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-13934

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\netsh.exe	API coverage: 1.4 %

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe TID: 3748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1968	Thread sleep count: 3135 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1968	Thread sleep time: -6270000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1968	Thread sleep count: 6805 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1968	Thread sleep time: -13610000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4524	Thread sleep count: 172 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4524	Thread sleep time: -344000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4524	Thread sleep count: 9799 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4524	Thread sleep time: -19598000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000007.00000002.4444797028.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000003.3777482422.0000000009B72000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.4446934807.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000002.4444797028.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000007.00000000.2010640411.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.4446934807.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2009042834.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EA118 mov ecx, dword ptr fs:[00000030h]	6_2_011EA118
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]	6_2_011EA118
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]	6_2_011EA118
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]	6_2_011EA118
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]	6_2_011EE10E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01170124 mov eax, dword ptr fs:[00000030h]	6_2_01170124
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01200115 mov eax, dword ptr fs:[00000030h]	6_2_01200115
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146154 mov eax, dword ptr fs:[00000030h]	6_2_01146154
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146154 mov eax, dword ptr fs:[00000030h]	6_2_01146154
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113C156 mov eax, dword ptr fs:[00000030h]	6_2_0113C156
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D8158 mov eax, dword ptr fs:[00000030h]	6_2_011D8158
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214164 mov eax, dword ptr fs:[00000030h]	6_2_01214164
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214164 mov eax, dword ptr fs:[00000030h]	6_2_01214164
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]	6_2_011D4144
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]	6_2_011D4144
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D4144 mov ecx, dword ptr fs:[00000030h]	6_2_011D4144
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]	6_2_011D4144
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]	6_2_011D4144
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]	6_2_011C019F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]	6_2_011C019F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]	6_2_011C019F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]	6_2_011C019F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]	6_2_0113A197
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]	6_2_0113A197
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]	6_2_0113A197
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FC188 mov eax, dword ptr fs:[00000030h]	6_2_011FC188
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FC188 mov eax, dword ptr fs:[00000030h]	6_2_011FC188
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01180185 mov eax, dword ptr fs:[00000030h]	6_2_01180185
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E4180 mov eax, dword ptr fs:[00000030h]	6_2_011E4180
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E4180 mov eax, dword ptr fs:[00000030h]	6_2_011E4180
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012161E5 mov eax, dword ptr fs:[00000030h]	6_2_012161E5
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_011BE1D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_011BE1D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_011BE1D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_011BE1D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]	6_2_011BE1D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012061C3 mov eax, dword ptr fs:[00000030h]	6_2_012061C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012061C3 mov eax, dword ptr fs:[00000030h]	6_2_012061C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011701F8 mov eax, dword ptr fs:[00000030h]	6_2_011701F8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]	6_2_0115E016
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]	6_2_0115E016
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]	6_2_0115E016
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]	6_2_0115E016
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C4000 mov ecx, dword ptr fs:[00000030h]	6_2_011C4000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]	6_2_011E2000
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6030 mov eax, dword ptr fs:[00000030h]	6_2_011D6030
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A020 mov eax, dword ptr fs:[00000030h]	6_2_0113A020
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113C020 mov eax, dword ptr fs:[00000030h]	6_2_0113C020
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01142050 mov eax, dword ptr fs:[00000030h]	6_2_01142050
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6050 mov eax, dword ptr fs:[00000030h]	6_2_011C6050
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116C073 mov eax, dword ptr fs:[00000030h]	6_2_0116C073
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012060B8 mov eax, dword ptr fs:[00000030h]	6_2_012060B8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012060B8 mov ecx, dword ptr fs:[00000030h]	6_2_012060B8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114208A mov eax, dword ptr fs:[00000030h]	6_2_0114208A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011380A0 mov eax, dword ptr fs:[00000030h]	6_2_011380A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D80A8 mov eax, dword ptr fs:[00000030h]	6_2_011D80A8
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C20DE mov eax, dword ptr fs:[00000030h]	6_2_011C20DE
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0113C0F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011820F0 mov ecx, dword ptr fs:[00000030h]	6_2_011820F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0113A0E3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C60E0 mov eax, dword ptr fs:[00000030h]	6_2_011C60E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011480E9 mov eax, dword ptr fs:[00000030h]	6_2_011480E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113C310 mov ecx, dword ptr fs:[00000030h]	6_2_0113C310
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]	6_2_01218324
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01218324 mov ecx, dword ptr fs:[00000030h]	6_2_01218324
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]	6_2_01218324
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]	6_2_01218324
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01160310 mov ecx, dword ptr fs:[00000030h]	6_2_01160310
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]	6_2_0117A30B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]	6_2_0117A30B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]	6_2_0117A30B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov ecx, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]	6_2_011C035C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E8350 mov ecx, dword ptr fs:[00000030h]	6_2_011E8350
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]	6_2_011C2349
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E437C mov eax, dword ptr fs:[00000030h]	6_2_011E437C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0121634F mov eax, dword ptr fs:[00000030h]	6_2_0121634F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120A352 mov eax, dword ptr fs:[00000030h]	6_2_0120A352
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]	6_2_01138397
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]	6_2_01138397
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]	6_2_01138397
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116438F mov eax, dword ptr fs:[00000030h]	6_2_0116438F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116438F mov eax, dword ptr fs:[00000030h]	6_2_0116438F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]	6_2_0113E388
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]	6_2_0113E388
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]	6_2_0113E388
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]	6_2_011EE3DB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]	6_2_011EE3DB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE3DB mov ecx, dword ptr fs:[00000030h]	6_2_011EE3DB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]	6_2_011EE3DB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E43D4 mov eax, dword ptr fs:[00000030h]	6_2_011E43D4
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E43D4 mov eax, dword ptr fs:[00000030h]	6_2_011E43D4
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FC3CD mov eax, dword ptr fs:[00000030h]	6_2_011FC3CD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0114A3C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]	6_2_011483C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]	6_2_011483C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]	6_2_011483C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]	6_2_011483C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C63C0 mov eax, dword ptr fs:[00000030h]	6_2_011C63C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0115E3F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0115E3F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0115E3F0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011763FF mov eax, dword ptr fs:[00000030h]	6_2_011763FF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]	6_2_011503E9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113823B mov eax, dword ptr fs:[00000030h]	6_2_0113823B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113A250 mov eax, dword ptr fs:[00000030h]	6_2_0113A250
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146259 mov eax, dword ptr fs:[00000030h]	6_2_01146259
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FA250 mov eax, dword ptr fs:[00000030h]	6_2_011FA250
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FA250 mov eax, dword ptr fs:[00000030h]	6_2_011FA250
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C8243 mov eax, dword ptr fs:[00000030h]	6_2_011C8243
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C8243 mov ecx, dword ptr fs:[00000030h]	6_2_011C8243
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]	6_2_011F0274
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]	6_2_01144260
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]	6_2_01144260
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]	6_2_01144260
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113826B mov eax, dword ptr fs:[00000030h]	6_2_0113826B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0121625D mov eax, dword ptr fs:[00000030h]	6_2_0121625D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E284 mov eax, dword ptr fs:[00000030h]	6_2_0117E284
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E284 mov eax, dword ptr fs:[00000030h]	6_2_0117E284
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]	6_2_011C0283
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]	6_2_011C0283
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]	6_2_011C0283
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011502A0 mov eax, dword ptr fs:[00000030h]	6_2_011502A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011502A0 mov eax, dword ptr fs:[00000030h]	6_2_011502A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov ecx, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]	6_2_011D62A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0114A2C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0114A2C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0114A2C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0114A2C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0114A2C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]	6_2_011502E1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]	6_2_011502E1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]	6_2_011502E1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012162D6 mov eax, dword ptr fs:[00000030h]	6_2_012162D6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6500 mov eax, dword ptr fs:[00000030h]	6_2_011D6500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]	6_2_01150535
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]	6_2_01214500
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]	6_2_0116E53E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]	6_2_0116E53E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]	6_2_0116E53E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]	6_2_0116E53E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]	6_2_0116E53E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148550 mov eax, dword ptr fs:[00000030h]	6_2_01148550
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148550 mov eax, dword ptr fs:[00000030h]	6_2_01148550
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]	6_2_0117656A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]	6_2_0117656A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]	6_2_0117656A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E59C mov eax, dword ptr fs:[00000030h]	6_2_0117E59C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01142582 mov eax, dword ptr fs:[00000030h]	6_2_01142582
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01142582 mov ecx, dword ptr fs:[00000030h]	6_2_01142582
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01174588 mov eax, dword ptr fs:[00000030h]	6_2_01174588
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011645B1 mov eax, dword ptr fs:[00000030h]	6_2_011645B1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011645B1 mov eax, dword ptr fs:[00000030h]	6_2_011645B1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]	6_2_011C05A7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]	6_2_011C05A7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]	6_2_011C05A7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011465D0 mov eax, dword ptr fs:[00000030h]	6_2_011465D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0117A5D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0117A5D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E5CF mov eax, dword ptr fs:[00000030h]	6_2_0117E5CF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E5CF mov eax, dword ptr fs:[00000030h]	6_2_0117E5CF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0116E5E7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011425E0 mov eax, dword ptr fs:[00000030h]	6_2_011425E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C5ED mov eax, dword ptr fs:[00000030h]	6_2_0117C5ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C5ED mov eax, dword ptr fs:[00000030h]	6_2_0117C5ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]	6_2_01178402
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]	6_2_01178402
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]	6_2_01178402
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A430 mov eax, dword ptr fs:[00000030h]	6_2_0117A430
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]	6_2_0113E420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]	6_2_0113E420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]	6_2_0113E420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113C427 mov eax, dword ptr fs:[00000030h]	6_2_0113C427
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]	6_2_011C6420
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FA456 mov eax, dword ptr fs:[00000030h]	6_2_011FA456
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116245A mov eax, dword ptr fs:[00000030h]	6_2_0116245A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113645D mov eax, dword ptr fs:[00000030h]	6_2_0113645D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]	6_2_0117E443
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]	6_2_0116A470
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]	6_2_0116A470
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]	6_2_0116A470
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CC460 mov ecx, dword ptr fs:[00000030h]	6_2_011CC460
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011FA49A mov eax, dword ptr fs:[00000030h]	6_2_011FA49A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011744B0 mov ecx, dword ptr fs:[00000030h]	6_2_011744B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CA4B0 mov eax, dword ptr fs:[00000030h]	6_2_011CA4B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011464AB mov eax, dword ptr fs:[00000030h]	6_2_011464AB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011404E5 mov ecx, dword ptr fs:[00000030h]	6_2_011404E5
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140710 mov eax, dword ptr fs:[00000030h]	6_2_01140710
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01170710 mov eax, dword ptr fs:[00000030h]	6_2_01170710
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C700 mov eax, dword ptr fs:[00000030h]	6_2_0117C700
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117273C mov eax, dword ptr fs:[00000030h]	6_2_0117273C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117273C mov ecx, dword ptr fs:[00000030h]	6_2_0117273C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117273C mov eax, dword ptr fs:[00000030h]	6_2_0117273C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BC730 mov eax, dword ptr fs:[00000030h]	6_2_011BC730
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C720 mov eax, dword ptr fs:[00000030h]	6_2_0117C720
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C720 mov eax, dword ptr fs:[00000030h]	6_2_0117C720
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CE75D mov eax, dword ptr fs:[00000030h]	6_2_011CE75D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140750 mov eax, dword ptr fs:[00000030h]	6_2_01140750
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182750 mov eax, dword ptr fs:[00000030h]	6_2_01182750
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182750 mov eax, dword ptr fs:[00000030h]	6_2_01182750
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C4755 mov eax, dword ptr fs:[00000030h]	6_2_011C4755
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117674D mov esi, dword ptr fs:[00000030h]	6_2_0117674D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117674D mov eax, dword ptr fs:[00000030h]	6_2_0117674D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117674D mov eax, dword ptr fs:[00000030h]	6_2_0117674D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148770 mov eax, dword ptr fs:[00000030h]	6_2_01148770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]	6_2_01150770
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E678E mov eax, dword ptr fs:[00000030h]	6_2_011E678E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011407AF mov eax, dword ptr fs:[00000030h]	6_2_011407AF
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F47A0 mov eax, dword ptr fs:[00000030h]	6_2_011F47A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0114C7C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C07C3 mov eax, dword ptr fs:[00000030h]	6_2_011C07C3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011447FB mov eax, dword ptr fs:[00000030h]	6_2_011447FB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011447FB mov eax, dword ptr fs:[00000030h]	6_2_011447FB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]	6_2_011627ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]	6_2_011627ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]	6_2_011627ED
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CE7E1 mov eax, dword ptr fs:[00000030h]	6_2_011CE7E1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01182619 mov eax, dword ptr fs:[00000030h]	6_2_01182619
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE609 mov eax, dword ptr fs:[00000030h]	6_2_011BE609
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]	6_2_0115260B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115E627 mov eax, dword ptr fs:[00000030h]	6_2_0115E627
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01176620 mov eax, dword ptr fs:[00000030h]	6_2_01176620
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01178620 mov eax, dword ptr fs:[00000030h]	6_2_01178620
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114262C mov eax, dword ptr fs:[00000030h]	6_2_0114262C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120866E mov eax, dword ptr fs:[00000030h]	6_2_0120866E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120866E mov eax, dword ptr fs:[00000030h]	6_2_0120866E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0115C640 mov eax, dword ptr fs:[00000030h]	6_2_0115C640
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01172674 mov eax, dword ptr fs:[00000030h]	6_2_01172674
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A660 mov eax, dword ptr fs:[00000030h]	6_2_0117A660
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A660 mov eax, dword ptr fs:[00000030h]	6_2_0117A660
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144690 mov eax, dword ptr fs:[00000030h]	6_2_01144690
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144690 mov eax, dword ptr fs:[00000030h]	6_2_01144690
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011766B0 mov eax, dword ptr fs:[00000030h]	6_2_011766B0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0117C6A6
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0117A6C7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0117A6C7
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_011BE6F2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_011BE6F2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_011BE6F2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]	6_2_011BE6F2
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C06F1 mov eax, dword ptr fs:[00000030h]	6_2_011C06F1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C06F1 mov eax, dword ptr fs:[00000030h]	6_2_011C06F1
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138918 mov eax, dword ptr fs:[00000030h]	6_2_01138918
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138918 mov eax, dword ptr fs:[00000030h]	6_2_01138918
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CC912 mov eax, dword ptr fs:[00000030h]	6_2_011CC912
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE908 mov eax, dword ptr fs:[00000030h]	6_2_011BE908
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BE908 mov eax, dword ptr fs:[00000030h]	6_2_011BE908
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C892A mov eax, dword ptr fs:[00000030h]	6_2_011C892A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D892B mov eax, dword ptr fs:[00000030h]	6_2_011D892B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C0946 mov eax, dword ptr fs:[00000030h]	6_2_011C0946
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CC97C mov eax, dword ptr fs:[00000030h]	6_2_011CC97C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214940 mov eax, dword ptr fs:[00000030h]	6_2_01214940
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E4978 mov eax, dword ptr fs:[00000030h]	6_2_011E4978
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E4978 mov eax, dword ptr fs:[00000030h]	6_2_011E4978
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]	6_2_01166962
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]	6_2_01166962
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]	6_2_01166962
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0118096E mov eax, dword ptr fs:[00000030h]	6_2_0118096E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0118096E mov edx, dword ptr fs:[00000030h]	6_2_0118096E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0118096E mov eax, dword ptr fs:[00000030h]	6_2_0118096E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C89B3 mov esi, dword ptr fs:[00000030h]	6_2_011C89B3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C89B3 mov eax, dword ptr fs:[00000030h]	6_2_011C89B3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011C89B3 mov eax, dword ptr fs:[00000030h]	6_2_011C89B3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]	6_2_011529A0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011409AD mov eax, dword ptr fs:[00000030h]	6_2_011409AD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011409AD mov eax, dword ptr fs:[00000030h]	6_2_011409AD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0114A9D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011749D0 mov eax, dword ptr fs:[00000030h]	6_2_011749D0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D69C0 mov eax, dword ptr fs:[00000030h]	6_2_011D69C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011729F9 mov eax, dword ptr fs:[00000030h]	6_2_011729F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011729F9 mov eax, dword ptr fs:[00000030h]	6_2_011729F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0120A9D3
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CE9E0 mov eax, dword ptr fs:[00000030h]	6_2_011CE9E0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CC810 mov eax, dword ptr fs:[00000030h]	6_2_011CC810
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov ecx, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]	6_2_01162835
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E483A mov eax, dword ptr fs:[00000030h]	6_2_011E483A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E483A mov eax, dword ptr fs:[00000030h]	6_2_011E483A
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117A830 mov eax, dword ptr fs:[00000030h]	6_2_0117A830
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01170854 mov eax, dword ptr fs:[00000030h]	6_2_01170854
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144859 mov eax, dword ptr fs:[00000030h]	6_2_01144859
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01144859 mov eax, dword ptr fs:[00000030h]	6_2_01144859
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01152840 mov ecx, dword ptr fs:[00000030h]	6_2_01152840
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6870 mov eax, dword ptr fs:[00000030h]	6_2_011D6870
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6870 mov eax, dword ptr fs:[00000030h]	6_2_011D6870
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CE872 mov eax, dword ptr fs:[00000030h]	6_2_011CE872
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CE872 mov eax, dword ptr fs:[00000030h]	6_2_011CE872
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CC89D mov eax, dword ptr fs:[00000030h]	6_2_011CC89D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140887 mov eax, dword ptr fs:[00000030h]	6_2_01140887
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0120A8E4
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0116E8C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_012108C0 mov eax, dword ptr fs:[00000030h]	6_2_012108C0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0117C8F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0117C8F9
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]	6_2_011BEB1D
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01208B28 mov eax, dword ptr fs:[00000030h]	6_2_01208B28
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01208B28 mov eax, dword ptr fs:[00000030h]	6_2_01208B28
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214B00 mov eax, dword ptr fs:[00000030h]	6_2_01214B00
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116EB20 mov eax, dword ptr fs:[00000030h]	6_2_0116EB20
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116EB20 mov eax, dword ptr fs:[00000030h]	6_2_0116EB20
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01138B50 mov eax, dword ptr fs:[00000030h]	6_2_01138B50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EEB50 mov eax, dword ptr fs:[00000030h]	6_2_011EEB50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F4B4B mov eax, dword ptr fs:[00000030h]	6_2_011F4B4B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F4B4B mov eax, dword ptr fs:[00000030h]	6_2_011F4B4B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011E8B42 mov eax, dword ptr fs:[00000030h]	6_2_011E8B42
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6B40 mov eax, dword ptr fs:[00000030h]	6_2_011D6B40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011D6B40 mov eax, dword ptr fs:[00000030h]	6_2_011D6B40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0120AB40 mov eax, dword ptr fs:[00000030h]	6_2_0120AB40
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0113CB7E mov eax, dword ptr fs:[00000030h]	6_2_0113CB7E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]	6_2_01212B57
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]	6_2_01212B57
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]	6_2_01212B57
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]	6_2_01212B57
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150BBE mov eax, dword ptr fs:[00000030h]	6_2_01150BBE
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150BBE mov eax, dword ptr fs:[00000030h]	6_2_01150BBE
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F4BB0 mov eax, dword ptr fs:[00000030h]	6_2_011F4BB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011F4BB0 mov eax, dword ptr fs:[00000030h]	6_2_011F4BB0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EEBD0 mov eax, dword ptr fs:[00000030h]	6_2_011EEBD0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]	6_2_01140BCD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]	6_2_01140BCD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]	6_2_01140BCD
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]	6_2_01160BCB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]	6_2_01160BCB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]	6_2_01160BCB
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]	6_2_01148BF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]	6_2_01148BF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]	6_2_01148BF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116EBFC mov eax, dword ptr fs:[00000030h]	6_2_0116EBFC
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CCBF0 mov eax, dword ptr fs:[00000030h]	6_2_011CCBF0
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011CCA11 mov eax, dword ptr fs:[00000030h]	6_2_011CCA11
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01164A35 mov eax, dword ptr fs:[00000030h]	6_2_01164A35
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01164A35 mov eax, dword ptr fs:[00000030h]	6_2_01164A35
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117CA38 mov eax, dword ptr fs:[00000030h]	6_2_0117CA38
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117CA24 mov eax, dword ptr fs:[00000030h]	6_2_0117CA24
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0116EA2E mov eax, dword ptr fs:[00000030h]	6_2_0116EA2E
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]	6_2_01146A50
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150A5B mov eax, dword ptr fs:[00000030h]	6_2_01150A5B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01150A5B mov eax, dword ptr fs:[00000030h]	6_2_01150A5B
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BCA72 mov eax, dword ptr fs:[00000030h]	6_2_011BCA72
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011BCA72 mov eax, dword ptr fs:[00000030h]	6_2_011BCA72
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]	6_2_0117CA6F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]	6_2_0117CA6F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]	6_2_0117CA6F
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_011EEA60 mov eax, dword ptr fs:[00000030h]	6_2_011EEA60
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01178A90 mov edx, dword ptr fs:[00000030h]	6_2_01178A90
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]	6_2_0114EA80
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Code function: 6_2_01214A80 mov eax, dword ptr fs:[00000030h]	6_2_01214A80

Source: C:\Windows\SysWOW64\netsh.exe

Code function: 8_2_01083A08 _wcsicmp,_wcsicmp,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,_wcsupr,GetProcessHeap,HeapFree,

8_2_01083A08

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_01089930 SetUnhandledExceptionFilter,		8_2_01089930
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_010896E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_010896E0

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.226 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.244.93.3 80			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	NtClose: Indirect: 0xB0A56C
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	NtQueueApcThread: Indirect: 0xB0A4F2			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Memory written: C:\Users\user\Desktop\hOe2JrpIAE.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1080000

Jump to behavior

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Process created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000003.3099099836.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2008880814.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.2007072938.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4441584000.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Users\user\Desktop\hOe2JrpIAE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hOe2JrpIAE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe

Code function: 8_2_01089B55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

8_2_01089B55

Source: C:\Windows\SysWOW64\netsh.exe

Code function: 8_2_010892E8 memset,GetVersionExW,

8_2_010892E8

Source: C:\Users\user\Desktop\hOe2JrpIAE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.3f99970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.7140000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.5b50000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.340bcdc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.33e7f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.340acc4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.3f99970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.7140000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.5b50000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.340bcdc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.33e7f58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hOe2JrpIAE.exe.340acc4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	612 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hOe2JrpIAE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
hOe2JrpIAE.exe