Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Inject4.1220.18568.6027

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Inject4.1220.18568.6027 (renamed file extension from 6027 to exe)
Analysis ID:287067
MD5:ffe26ed83f513b68a3cdf68a9d971858
SHA1:c61aa6141026ed3fc190dbb3e46eac1c966d4133
SHA256:8b53c85d1e84765875c93d5486a523b1913e72fc5a74ce18b162e63fe257f93f
Tags:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Inject4.1220.18568.exe (PID: 6736 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe' MD5: FFE26ED83F513B68A3CDF68A9D971858)
    • AddInProcess32.exe (PID: 7152 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3368 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5872 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 7108 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        13.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        13.2.AddInProcess32.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        13.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          13.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeVirustotal: Detection: 25%Perma Link
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeJoe Sandbox ML: detected
          Source: 13.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop ebx13_2_00407AFA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi13_2_00416C52
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx19_2_03207AFC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi19_2_03216C52
          Source: i.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: i.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
          Source: i.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: i.dll.0.drString found in binary or memory: http://s2.symcb.com0
          Source: i.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
          Source: i.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: i.dll.0.drString found in binary or memory: http://sv.symcd.com0&
          Source: i.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: i.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: i.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: i.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
          Source: i.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000011.00000000.400276887.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: i.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: i.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exe, ??4u0028?u0023?20?u005e?u003c8??3??u007c?6u003b?9u005b??/u0034??u0023??u002d38??u005d?7u002c?0??u005bu0040?6??u003e?2?1u0026?5??.csLarge array initialization: ??1[)??6?/0?}??4??2~*9????$57>????: array initializer size 152576
          Source: 0.0.SecuriteInfo.com.Trojan.Inject4.1220.18568.exe.a50000.0.unpack, ??4u0028?u0023?20?u005e?u003c8??3??u007c?6u003b?9u005b??/u0034??u0023??u002d38??u005d?7u002c?0??u005bu0040?6??u003e?2?1u0026?5??.csLarge array initialization: ??1[)??6?/0?}??4??2~*9????$57>????: array initializer size 152576
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00419CA0 NtCreateFile,13_2_00419CA0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00419D50 NtReadFile,13_2_00419D50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00419DD0 NtClose,13_2_00419DD0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00419E80 NtAllocateVirtualMemory,13_2_00419E80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00419DCA NtReadFile,NtClose,13_2_00419DCA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C99A0 NtCreateSection,LdrInitializeThunk,13_2_018C99A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C95D0 NtClose,LdrInitializeThunk,13_2_018C95D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_018C9910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9540 NtReadFile,LdrInitializeThunk,13_2_018C9540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C98F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_018C98F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9840 NtDelayExecution,LdrInitializeThunk,13_2_018C9840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9860 NtQuerySystemInformation,LdrInitializeThunk,13_2_018C9860
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9780 NtMapViewOfSection,LdrInitializeThunk,13_2_018C9780
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C97A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_018C97A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9710 NtQueryInformationToken,LdrInitializeThunk,13_2_018C9710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C96E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_018C96E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9A00 NtProtectVirtualMemory,LdrInitializeThunk,13_2_018C9A00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9A20 NtResumeThread,LdrInitializeThunk,13_2_018C9A20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9A50 NtCreateFile,LdrInitializeThunk,13_2_018C9A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_018C9660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C99D0 NtCreateProcessEx,13_2_018C99D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C95F0 NtQueryInformationFile,13_2_018C95F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9520 NtWaitForSingleObject,13_2_018C9520
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018CAD30 NtSetContextThread,13_2_018CAD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9950 NtQueueApcThread,13_2_018C9950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9560 NtWriteFile,13_2_018C9560
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C98A0 NtWriteVirtualMemory,13_2_018C98A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9820 NtEnumerateKey,13_2_018C9820
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018CB040 NtSuspendThread,13_2_018CB040
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018CA3B0 NtGetContextThread,13_2_018CA3B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9FE0 NtCreateMutant,13_2_018C9FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9B00 NtSetValueKey,13_2_018C9B00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018CA710 NtOpenProcessToken,13_2_018CA710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9730 NtQueryVirtualMemory,13_2_018C9730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9760 NtOpenProcess,13_2_018C9760
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9770 NtSetInformationFile,13_2_018C9770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018CA770 NtOpenThread,13_2_018CA770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9A80 NtOpenDirectoryObject,13_2_018C9A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C96D0 NtCreateKey,13_2_018C96D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9610 NtEnumerateValueKey,13_2_018C9610
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9A10 NtQuerySection,13_2_018C9A10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9650 NtQueryValueKey,13_2_018C9650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C9670 NtQueryInformationProcess,13_2_018C9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079540 NtReadFile,LdrInitializeThunk,19_2_05079540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050795D0 NtClose,LdrInitializeThunk,19_2_050795D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079710 NtQueryInformationToken,LdrInitializeThunk,19_2_05079710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079780 NtMapViewOfSection,LdrInitializeThunk,19_2_05079780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079FE0 NtCreateMutant,LdrInitializeThunk,19_2_05079FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079650 NtQueryValueKey,LdrInitializeThunk,19_2_05079650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_05079660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050796D0 NtCreateKey,LdrInitializeThunk,19_2_050796D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050796E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_050796E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_05079910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050799A0 NtCreateSection,LdrInitializeThunk,19_2_050799A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079840 NtDelayExecution,LdrInitializeThunk,19_2_05079840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079860 NtQuerySystemInformation,LdrInitializeThunk,19_2_05079860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079A50 NtCreateFile,LdrInitializeThunk,19_2_05079A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079520 NtWaitForSingleObject,19_2_05079520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0507AD30 NtSetContextThread,19_2_0507AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079560 NtWriteFile,19_2_05079560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050795F0 NtQueryInformationFile,19_2_050795F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0507A710 NtOpenProcessToken,19_2_0507A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079730 NtQueryVirtualMemory,19_2_05079730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079760 NtOpenProcess,19_2_05079760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0507A770 NtOpenThread,19_2_0507A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079770 NtSetInformationFile,19_2_05079770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050797A0 NtUnmapViewOfSection,19_2_050797A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079610 NtEnumerateValueKey,19_2_05079610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079670 NtQueryInformationProcess,19_2_05079670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079950 NtQueueApcThread,19_2_05079950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050799D0 NtCreateProcessEx,19_2_050799D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079820 NtEnumerateKey,19_2_05079820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0507B040 NtSuspendThread,19_2_0507B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050798A0 NtWriteVirtualMemory,19_2_050798A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050798F0 NtReadVirtualMemory,19_2_050798F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079B00 NtSetValueKey,19_2_05079B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0507A3B0 NtGetContextThread,19_2_0507A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079A00 NtProtectVirtualMemory,19_2_05079A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079A10 NtQuerySection,19_2_05079A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079A20 NtResumeThread,19_2_05079A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05079A80 NtOpenDirectoryObject,19_2_05079A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03219E80 NtAllocateVirtualMemory,19_2_03219E80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03219D50 NtReadFile,19_2_03219D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03219DD0 NtClose,19_2_03219DD0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03219CA0 NtCreateFile,19_2_03219CA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03219DCA NtReadFile,NtClose,19_2_03219DCA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0040103013_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0040117413_2_00401174
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041E11A13_2_0041E11A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041E92313_2_0041E923
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041EA1613_2_0041EA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041E4CB13_2_0041E4CB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041D58113_2_0041D581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00402D8813_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00402D9013_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00409E2013_2_00409E20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041CEFA13_2_0041CEFA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00402FB013_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00DE205013_2_00DE2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B258113_2_018B2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019525DD13_2_019525DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189D5E013_2_0189D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188F90013_2_0188F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01952D0713_2_01952D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01880D2013_2_01880D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A412013_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01951D5513_2_01951D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189B09013_2_0189B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A013_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019520A813_2_019520A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194100213_2_01941002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189841F13_2_0189841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BEBB013_2_018BEBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194DBD213_2_0194DBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01951FF113_2_01951FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01952B2813_2_01952B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019522AE13_2_019522AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01952EF713_2_01952EF7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A6E3013_2_018A6E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05102D0719_2_05102D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05030D2019_2_05030D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05101D5519_2_05101D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506258119_2_05062581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D8219_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051025DD19_2_051025DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504D5E019_2_0504D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504841F19_2_0504841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FD46619_2_050FD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B47719_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F449619_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510DFCE19_2_0510DFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05101FF119_2_05101FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FD61619_2_050FD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05056E3019_2_05056E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05102EF719_2_05102EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503F90019_2_0503F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505412019_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F100219_2_050F1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510E82419_2_0510E824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505A83019_2_0505A830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504B09019_2_0504B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050620A019_2_050620A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051020A819_2_051020A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051028EC19_2_051028EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505A30919_2_0505A309
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05102B2819_2_05102B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050DCB4F19_2_050DCB4F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AB4019_2_0505AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506138B19_2_0506138B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506EBB019_2_0506EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F03DA19_2_050F03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FDBD219_2_050FDBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506ABD819_2_0506ABD8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050E23E319_2_050E23E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050EFA2B19_2_050EFA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B23619_2_0505B236
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051022AE19_2_051022AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4AEF19_2_050F4AEF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321EA1619_2_0321EA16
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321E92319_2_0321E923
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321E11A19_2_0321E11A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03202FB019_2_03202FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03209E2019_2_03209E20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321CEFA19_2_0321CEFA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03202D8819_2_03202D88
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03202D9019_2_03202D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321E4CB19_2_0321E4CB
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0188B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0503B150 appears 136 times
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exe, 00000000.00000000.232777494.0000000000A68000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBUCHI.exeD vs SecuriteInfo.com.Trojan.Inject4.1220.18568.exe
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeBinary or memory string: OriginalFilenameBUCHI.exeD vs SecuriteInfo.com.Trojan.Inject4.1220.18568.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.503152761.00000000033B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.417214148.0000000001760000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.502892274.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.503293595.00000000033E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.416214674.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.417250251.0000000001790000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9Jump to behavior
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeVirustotal: Detection: 25%
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.Inject4.1220.18568.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: cmstp.pdbGCTL source: AddInProcess32.exe, 0000000D.00000002.417333855.0000000001810000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, cmstp.exe, 00000013.00000002.506082448.000000000553F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.401808665.000000000D940000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000D.00000002.417354217.0000000001860000.00000040.00000001.sdmp, cmstp.exe, 00000013.00000002.504301948.0000000005010000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: AddInProcess32.exe, 0000000D.00000002.417333855.0000000001810000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000D.00000000.367842577.0000000000DE2000.00000002.00020000.sdmp, cmstp.exe, 00000013.00000002.506082448.000000000553F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: i.dll.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.401808665.000000000D940000.00000002.00000001.sdmp
          Source: i.dll.0.drStatic PE information: section name: .didat
          Source: i.dll.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00417872 push edi; retf 13_2_00417885
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041B395 push cs; ret 13_2_0041B39C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00409B9C push edi; retf 13_2_00409B9D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0040E42A pushad ; retf 13_2_0040E42B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041CDF5 push eax; ret 13_2_0041CE48
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041CE42 push eax; ret 13_2_0041CE48
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041CE4B push eax; ret 13_2_0041CEB2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041DEC4 push ecx; iretd 13_2_0041DEC5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0041CEAC push eax; ret 13_2_0041CEB2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018DD0D1 push ecx; ret 13_2_018DD0E4
          Source: C:\Windows\explorer.exeCode function: 17_2_04F901BF pushfd ; iretd 17_2_04F901CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0508D0D1 push ecx; ret 19_2_0508D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321B395 push cs; ret 19_2_0321B39C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03209B9C push edi; retf 19_2_03209B9D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321D9D7 push esp; ret 19_2_0321D9D8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_03217872 push edi; retf 19_2_03217885
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321CE42 push eax; ret 19_2_0321CE48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321CE4B push eax; ret 19_2_0321CEB2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321CEAC push eax; ret 19_2_0321CEB2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321DEC4 push ecx; iretd 19_2_0321DEC5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0321CDF5 push eax; ret 19_2_0321CE48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0320E42A pushad ; retf 19_2_0320E42B
          Source: initial sampleStatic PE information: section name: .text entropy: 7.41168094741
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeRDTSC instruction interceptor: First address: 0000000072F21D36 second address: 0000000072F22A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72F353C0h], eax 0x00000020 mov dword ptr [72F353C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FC858B1A1ABh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FC858B1A1E6h 0x00000037 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000032098D4 second address: 00000000032098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000003209B3E second address: 0000000003209B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00409A70 rdtsc 13_2_00409A70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe TID: 6796Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe TID: 6780Thread sleep count: 196 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe TID: 5328Thread sleep count: 316 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe TID: 5328Thread sleep count: 251 > 30Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exe TID: 6764Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000011.00000000.398681625.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000011.00000000.399337359.00000000082E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000011.00000000.398016152.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000011.00000000.398634885.00000000080EC000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ag~FW[:
          Source: explorer.exe, 00000011.00000002.516766546.0000000005EB0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000011.00000000.398681625.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000011.00000000.398016152.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000011.00000000.398016152.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000011.00000000.398681625.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000011.00000000.398634885.00000000080EC000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00l
          Source: explorer.exe, 00000011.00000000.398016152.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_00409A70 rdtsc 13_2_00409A70
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0040ACB0 LdrLoadDll,13_2_0040ACB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01882D8A mov eax, dword ptr fs:[00000030h]13_2_01882D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01882D8A mov eax, dword ptr fs:[00000030h]13_2_01882D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01882D8A mov eax, dword ptr fs:[00000030h]13_2_01882D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01882D8A mov eax, dword ptr fs:[00000030h]13_2_01882D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01882D8A mov eax, dword ptr fs:[00000030h]13_2_01882D8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AC182 mov eax, dword ptr fs:[00000030h]13_2_018AC182
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2581 mov eax, dword ptr fs:[00000030h]13_2_018B2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2581 mov eax, dword ptr fs:[00000030h]13_2_018B2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2581 mov eax, dword ptr fs:[00000030h]13_2_018B2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2581 mov eax, dword ptr fs:[00000030h]13_2_018B2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA185 mov eax, dword ptr fs:[00000030h]13_2_018BA185
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BFD9B mov eax, dword ptr fs:[00000030h]13_2_018BFD9B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BFD9B mov eax, dword ptr fs:[00000030h]13_2_018BFD9B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2990 mov eax, dword ptr fs:[00000030h]13_2_018B2990
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B35A1 mov eax, dword ptr fs:[00000030h]13_2_018B35A1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B61A0 mov eax, dword ptr fs:[00000030h]13_2_018B61A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B61A0 mov eax, dword ptr fs:[00000030h]13_2_018B61A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019051BE mov eax, dword ptr fs:[00000030h]13_2_019051BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019051BE mov eax, dword ptr fs:[00000030h]13_2_019051BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019051BE mov eax, dword ptr fs:[00000030h]13_2_019051BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019051BE mov eax, dword ptr fs:[00000030h]13_2_019051BE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019069A6 mov eax, dword ptr fs:[00000030h]13_2_019069A6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019505AC mov eax, dword ptr fs:[00000030h]13_2_019505AC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019505AC mov eax, dword ptr fs:[00000030h]13_2_019505AC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B1DB5 mov eax, dword ptr fs:[00000030h]13_2_018B1DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B1DB5 mov eax, dword ptr fs:[00000030h]13_2_018B1DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B1DB5 mov eax, dword ptr fs:[00000030h]13_2_018B1DB5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov eax, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov eax, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov eax, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov ecx, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov eax, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906DC9 mov eax, dword ptr fs:[00000030h]13_2_01906DC9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01938DF1 mov eax, dword ptr fs:[00000030h]13_2_01938DF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188B1E1 mov eax, dword ptr fs:[00000030h]13_2_0188B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188B1E1 mov eax, dword ptr fs:[00000030h]13_2_0188B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188B1E1 mov eax, dword ptr fs:[00000030h]13_2_0188B1E1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189D5E0 mov eax, dword ptr fs:[00000030h]13_2_0189D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189D5E0 mov eax, dword ptr fs:[00000030h]13_2_0189D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194FDE2 mov eax, dword ptr fs:[00000030h]13_2_0194FDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194FDE2 mov eax, dword ptr fs:[00000030h]13_2_0194FDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194FDE2 mov eax, dword ptr fs:[00000030h]13_2_0194FDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194FDE2 mov eax, dword ptr fs:[00000030h]13_2_0194FDE2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019141E8 mov eax, dword ptr fs:[00000030h]13_2_019141E8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889100 mov eax, dword ptr fs:[00000030h]13_2_01889100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889100 mov eax, dword ptr fs:[00000030h]13_2_01889100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889100 mov eax, dword ptr fs:[00000030h]13_2_01889100
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958D34 mov eax, dword ptr fs:[00000030h]13_2_01958D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0190A537 mov eax, dword ptr fs:[00000030h]13_2_0190A537
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A4120 mov eax, dword ptr fs:[00000030h]13_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A4120 mov eax, dword ptr fs:[00000030h]13_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A4120 mov eax, dword ptr fs:[00000030h]13_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A4120 mov eax, dword ptr fs:[00000030h]13_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A4120 mov ecx, dword ptr fs:[00000030h]13_2_018A4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194E539 mov eax, dword ptr fs:[00000030h]13_2_0194E539
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4D3B mov eax, dword ptr fs:[00000030h]13_2_018B4D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4D3B mov eax, dword ptr fs:[00000030h]13_2_018B4D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4D3B mov eax, dword ptr fs:[00000030h]13_2_018B4D3B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B513A mov eax, dword ptr fs:[00000030h]13_2_018B513A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B513A mov eax, dword ptr fs:[00000030h]13_2_018B513A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188AD30 mov eax, dword ptr fs:[00000030h]13_2_0188AD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01893D34 mov eax, dword ptr fs:[00000030h]13_2_01893D34
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AB944 mov eax, dword ptr fs:[00000030h]13_2_018AB944
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AB944 mov eax, dword ptr fs:[00000030h]13_2_018AB944
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C3D43 mov eax, dword ptr fs:[00000030h]13_2_018C3D43
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01903540 mov eax, dword ptr fs:[00000030h]13_2_01903540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A7D50 mov eax, dword ptr fs:[00000030h]13_2_018A7D50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188C962 mov eax, dword ptr fs:[00000030h]13_2_0188C962
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188B171 mov eax, dword ptr fs:[00000030h]13_2_0188B171
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188B171 mov eax, dword ptr fs:[00000030h]13_2_0188B171
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AC577 mov eax, dword ptr fs:[00000030h]13_2_018AC577
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AC577 mov eax, dword ptr fs:[00000030h]13_2_018AC577
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889080 mov eax, dword ptr fs:[00000030h]13_2_01889080
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189849B mov eax, dword ptr fs:[00000030h]13_2_0189849B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01903884 mov eax, dword ptr fs:[00000030h]13_2_01903884
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01903884 mov eax, dword ptr fs:[00000030h]13_2_01903884
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C90AF mov eax, dword ptr fs:[00000030h]13_2_018C90AF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B20A0 mov eax, dword ptr fs:[00000030h]13_2_018B20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BF0BF mov ecx, dword ptr fs:[00000030h]13_2_018BF0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BF0BF mov eax, dword ptr fs:[00000030h]13_2_018BF0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BF0BF mov eax, dword ptr fs:[00000030h]13_2_018BF0BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov eax, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov ecx, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov eax, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov eax, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov eax, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191B8D0 mov eax, dword ptr fs:[00000030h]13_2_0191B8D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958CD6 mov eax, dword ptr fs:[00000030h]13_2_01958CD6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906CF0 mov eax, dword ptr fs:[00000030h]13_2_01906CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906CF0 mov eax, dword ptr fs:[00000030h]13_2_01906CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906CF0 mov eax, dword ptr fs:[00000030h]13_2_01906CF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018858EC mov eax, dword ptr fs:[00000030h]13_2_018858EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019414FB mov eax, dword ptr fs:[00000030h]13_2_019414FB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01954015 mov eax, dword ptr fs:[00000030h]13_2_01954015
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01954015 mov eax, dword ptr fs:[00000030h]13_2_01954015
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907016 mov eax, dword ptr fs:[00000030h]13_2_01907016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907016 mov eax, dword ptr fs:[00000030h]13_2_01907016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907016 mov eax, dword ptr fs:[00000030h]13_2_01907016
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941C06 mov eax, dword ptr fs:[00000030h]13_2_01941C06
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0195740D mov eax, dword ptr fs:[00000030h]13_2_0195740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0195740D mov eax, dword ptr fs:[00000030h]13_2_0195740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0195740D mov eax, dword ptr fs:[00000030h]13_2_0195740D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906C0A mov eax, dword ptr fs:[00000030h]13_2_01906C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906C0A mov eax, dword ptr fs:[00000030h]13_2_01906C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906C0A mov eax, dword ptr fs:[00000030h]13_2_01906C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01906C0A mov eax, dword ptr fs:[00000030h]13_2_01906C0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189B02A mov eax, dword ptr fs:[00000030h]13_2_0189B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189B02A mov eax, dword ptr fs:[00000030h]13_2_0189B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189B02A mov eax, dword ptr fs:[00000030h]13_2_0189B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189B02A mov eax, dword ptr fs:[00000030h]13_2_0189B02A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B002D mov eax, dword ptr fs:[00000030h]13_2_018B002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B002D mov eax, dword ptr fs:[00000030h]13_2_018B002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B002D mov eax, dword ptr fs:[00000030h]13_2_018B002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B002D mov eax, dword ptr fs:[00000030h]13_2_018B002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B002D mov eax, dword ptr fs:[00000030h]13_2_018B002D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BBC2C mov eax, dword ptr fs:[00000030h]13_2_018BBC2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA44B mov eax, dword ptr fs:[00000030h]13_2_018BA44B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191C450 mov eax, dword ptr fs:[00000030h]13_2_0191C450
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191C450 mov eax, dword ptr fs:[00000030h]13_2_0191C450
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A0050 mov eax, dword ptr fs:[00000030h]13_2_018A0050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A0050 mov eax, dword ptr fs:[00000030h]13_2_018A0050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01951074 mov eax, dword ptr fs:[00000030h]13_2_01951074
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01942073 mov eax, dword ptr fs:[00000030h]13_2_01942073
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A746D mov eax, dword ptr fs:[00000030h]13_2_018A746D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907794 mov eax, dword ptr fs:[00000030h]13_2_01907794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907794 mov eax, dword ptr fs:[00000030h]13_2_01907794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01907794 mov eax, dword ptr fs:[00000030h]13_2_01907794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01891B8F mov eax, dword ptr fs:[00000030h]13_2_01891B8F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01891B8F mov eax, dword ptr fs:[00000030h]13_2_01891B8F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0193D380 mov ecx, dword ptr fs:[00000030h]13_2_0193D380
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BB390 mov eax, dword ptr fs:[00000030h]13_2_018BB390
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2397 mov eax, dword ptr fs:[00000030h]13_2_018B2397
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01898794 mov eax, dword ptr fs:[00000030h]13_2_01898794
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194138A mov eax, dword ptr fs:[00000030h]13_2_0194138A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4BAD mov eax, dword ptr fs:[00000030h]13_2_018B4BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4BAD mov eax, dword ptr fs:[00000030h]13_2_018B4BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B4BAD mov eax, dword ptr fs:[00000030h]13_2_018B4BAD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01955BA5 mov eax, dword ptr fs:[00000030h]13_2_01955BA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019053CA mov eax, dword ptr fs:[00000030h]13_2_019053CA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019053CA mov eax, dword ptr fs:[00000030h]13_2_019053CA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018ADBE9 mov eax, dword ptr fs:[00000030h]13_2_018ADBE9
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B03E2 mov eax, dword ptr fs:[00000030h]13_2_018B03E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C37F5 mov eax, dword ptr fs:[00000030h]13_2_018C37F5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191FF10 mov eax, dword ptr fs:[00000030h]13_2_0191FF10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191FF10 mov eax, dword ptr fs:[00000030h]13_2_0191FF10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA70E mov eax, dword ptr fs:[00000030h]13_2_018BA70E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA70E mov eax, dword ptr fs:[00000030h]13_2_018BA70E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194131B mov eax, dword ptr fs:[00000030h]13_2_0194131B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0195070D mov eax, dword ptr fs:[00000030h]13_2_0195070D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0195070D mov eax, dword ptr fs:[00000030h]13_2_0195070D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AF716 mov eax, dword ptr fs:[00000030h]13_2_018AF716
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01884F2E mov eax, dword ptr fs:[00000030h]13_2_01884F2E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01884F2E mov eax, dword ptr fs:[00000030h]13_2_01884F2E
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BE730 mov eax, dword ptr fs:[00000030h]13_2_018BE730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188DB40 mov eax, dword ptr fs:[00000030h]13_2_0188DB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189EF40 mov eax, dword ptr fs:[00000030h]13_2_0189EF40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958B58 mov eax, dword ptr fs:[00000030h]13_2_01958B58
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188F358 mov eax, dword ptr fs:[00000030h]13_2_0188F358
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188DB60 mov ecx, dword ptr fs:[00000030h]13_2_0188DB60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189FF60 mov eax, dword ptr fs:[00000030h]13_2_0189FF60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B3B7A mov eax, dword ptr fs:[00000030h]13_2_018B3B7A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B3B7A mov eax, dword ptr fs:[00000030h]13_2_018B3B7A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958F6A mov eax, dword ptr fs:[00000030h]13_2_01958F6A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0191FE87 mov eax, dword ptr fs:[00000030h]13_2_0191FE87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BD294 mov eax, dword ptr fs:[00000030h]13_2_018BD294
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BD294 mov eax, dword ptr fs:[00000030h]13_2_018BD294
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018852A5 mov eax, dword ptr fs:[00000030h]13_2_018852A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018852A5 mov eax, dword ptr fs:[00000030h]13_2_018852A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018852A5 mov eax, dword ptr fs:[00000030h]13_2_018852A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018852A5 mov eax, dword ptr fs:[00000030h]13_2_018852A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018852A5 mov eax, dword ptr fs:[00000030h]13_2_018852A5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01950EA5 mov eax, dword ptr fs:[00000030h]13_2_01950EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01950EA5 mov eax, dword ptr fs:[00000030h]13_2_01950EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01950EA5 mov eax, dword ptr fs:[00000030h]13_2_01950EA5
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_019046A7 mov eax, dword ptr fs:[00000030h]13_2_019046A7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189AAB0 mov eax, dword ptr fs:[00000030h]13_2_0189AAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189AAB0 mov eax, dword ptr fs:[00000030h]13_2_0189AAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BFAB0 mov eax, dword ptr fs:[00000030h]13_2_018BFAB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2ACB mov eax, dword ptr fs:[00000030h]13_2_018B2ACB
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958ED6 mov eax, dword ptr fs:[00000030h]13_2_01958ED6
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B36CC mov eax, dword ptr fs:[00000030h]13_2_018B36CC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C8EC7 mov eax, dword ptr fs:[00000030h]13_2_018C8EC7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0193FEC0 mov eax, dword ptr fs:[00000030h]13_2_0193FEC0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B16E0 mov ecx, dword ptr fs:[00000030h]13_2_018B16E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018976E2 mov eax, dword ptr fs:[00000030h]13_2_018976E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B2AE4 mov eax, dword ptr fs:[00000030h]13_2_018B2AE4
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01898A0A mov eax, dword ptr fs:[00000030h]13_2_01898A0A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188C600 mov eax, dword ptr fs:[00000030h]13_2_0188C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188C600 mov eax, dword ptr fs:[00000030h]13_2_0188C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188C600 mov eax, dword ptr fs:[00000030h]13_2_0188C600
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018B8E00 mov eax, dword ptr fs:[00000030h]13_2_018B8E00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018A3A1C mov eax, dword ptr fs:[00000030h]13_2_018A3A1C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA61C mov eax, dword ptr fs:[00000030h]13_2_018BA61C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018BA61C mov eax, dword ptr fs:[00000030h]13_2_018BA61C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01885210 mov eax, dword ptr fs:[00000030h]13_2_01885210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01885210 mov ecx, dword ptr fs:[00000030h]13_2_01885210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01885210 mov eax, dword ptr fs:[00000030h]13_2_01885210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01885210 mov eax, dword ptr fs:[00000030h]13_2_01885210
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01941608 mov eax, dword ptr fs:[00000030h]13_2_01941608
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188AA16 mov eax, dword ptr fs:[00000030h]13_2_0188AA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188AA16 mov eax, dword ptr fs:[00000030h]13_2_0188AA16
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C4A2C mov eax, dword ptr fs:[00000030h]13_2_018C4A2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C4A2C mov eax, dword ptr fs:[00000030h]13_2_018C4A2C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0188E620 mov eax, dword ptr fs:[00000030h]13_2_0188E620
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0193FE3F mov eax, dword ptr fs:[00000030h]13_2_0193FE3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194EA55 mov eax, dword ptr fs:[00000030h]13_2_0194EA55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01914257 mov eax, dword ptr fs:[00000030h]13_2_01914257
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889240 mov eax, dword ptr fs:[00000030h]13_2_01889240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889240 mov eax, dword ptr fs:[00000030h]13_2_01889240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889240 mov eax, dword ptr fs:[00000030h]13_2_01889240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01889240 mov eax, dword ptr fs:[00000030h]13_2_01889240
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01897E41 mov eax, dword ptr fs:[00000030h]13_2_01897E41
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194AE44 mov eax, dword ptr fs:[00000030h]13_2_0194AE44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0194AE44 mov eax, dword ptr fs:[00000030h]13_2_0194AE44
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0189766D mov eax, dword ptr fs:[00000030h]13_2_0189766D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0193B260 mov eax, dword ptr fs:[00000030h]13_2_0193B260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_0193B260 mov eax, dword ptr fs:[00000030h]13_2_0193B260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018C927A mov eax, dword ptr fs:[00000030h]13_2_018C927A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_01958A62 mov eax, dword ptr fs:[00000030h]13_2_01958A62
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AAE73 mov eax, dword ptr fs:[00000030h]13_2_018AAE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AAE73 mov eax, dword ptr fs:[00000030h]13_2_018AAE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AAE73 mov eax, dword ptr fs:[00000030h]13_2_018AAE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AAE73 mov eax, dword ptr fs:[00000030h]13_2_018AAE73
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 13_2_018AAE73 mov eax, dword ptr fs:[00000030h]13_2_018AAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05108D34 mov eax, dword ptr fs:[00000030h]19_2_05108D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05043D34 mov eax, dword ptr fs:[00000030h]19_2_05043D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503AD30 mov eax, dword ptr fs:[00000030h]19_2_0503AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FE539 mov eax, dword ptr fs:[00000030h]19_2_050FE539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050BA537 mov eax, dword ptr fs:[00000030h]19_2_050BA537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05064D3B mov eax, dword ptr fs:[00000030h]19_2_05064D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05064D3B mov eax, dword ptr fs:[00000030h]19_2_05064D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05064D3B mov eax, dword ptr fs:[00000030h]19_2_05064D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05073D43 mov eax, dword ptr fs:[00000030h]19_2_05073D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B3540 mov eax, dword ptr fs:[00000030h]19_2_050B3540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050E3D40 mov eax, dword ptr fs:[00000030h]19_2_050E3D40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05057D50 mov eax, dword ptr fs:[00000030h]19_2_05057D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505C577 mov eax, dword ptr fs:[00000030h]19_2_0505C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505C577 mov eax, dword ptr fs:[00000030h]19_2_0505C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05062581 mov eax, dword ptr fs:[00000030h]19_2_05062581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05062581 mov eax, dword ptr fs:[00000030h]19_2_05062581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05062581 mov eax, dword ptr fs:[00000030h]19_2_05062581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05062581 mov eax, dword ptr fs:[00000030h]19_2_05062581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05032D8A mov eax, dword ptr fs:[00000030h]19_2_05032D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05032D8A mov eax, dword ptr fs:[00000030h]19_2_05032D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05032D8A mov eax, dword ptr fs:[00000030h]19_2_05032D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05032D8A mov eax, dword ptr fs:[00000030h]19_2_05032D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05032D8A mov eax, dword ptr fs:[00000030h]19_2_05032D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F2D82 mov eax, dword ptr fs:[00000030h]19_2_050F2D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506FD9B mov eax, dword ptr fs:[00000030h]19_2_0506FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506FD9B mov eax, dword ptr fs:[00000030h]19_2_0506FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050635A1 mov eax, dword ptr fs:[00000030h]19_2_050635A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05061DB5 mov eax, dword ptr fs:[00000030h]19_2_05061DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05061DB5 mov eax, dword ptr fs:[00000030h]19_2_05061DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05061DB5 mov eax, dword ptr fs:[00000030h]19_2_05061DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051005AC mov eax, dword ptr fs:[00000030h]19_2_051005AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_051005AC mov eax, dword ptr fs:[00000030h]19_2_051005AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov eax, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov eax, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov eax, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov ecx, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov eax, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6DC9 mov eax, dword ptr fs:[00000030h]19_2_050B6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504D5E0 mov eax, dword ptr fs:[00000030h]19_2_0504D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504D5E0 mov eax, dword ptr fs:[00000030h]19_2_0504D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FFDE2 mov eax, dword ptr fs:[00000030h]19_2_050FFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FFDE2 mov eax, dword ptr fs:[00000030h]19_2_050FFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FFDE2 mov eax, dword ptr fs:[00000030h]19_2_050FFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FFDE2 mov eax, dword ptr fs:[00000030h]19_2_050FFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050E8DF1 mov eax, dword ptr fs:[00000030h]19_2_050E8DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6C0A mov eax, dword ptr fs:[00000030h]19_2_050B6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6C0A mov eax, dword ptr fs:[00000030h]19_2_050B6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6C0A mov eax, dword ptr fs:[00000030h]19_2_050B6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6C0A mov eax, dword ptr fs:[00000030h]19_2_050B6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1C06 mov eax, dword ptr fs:[00000030h]19_2_050F1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510740D mov eax, dword ptr fs:[00000030h]19_2_0510740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510740D mov eax, dword ptr fs:[00000030h]19_2_0510740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510740D mov eax, dword ptr fs:[00000030h]19_2_0510740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506BC2C mov eax, dword ptr fs:[00000030h]19_2_0506BC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A44B mov eax, dword ptr fs:[00000030h]19_2_0506A44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050CC450 mov eax, dword ptr fs:[00000030h]19_2_050CC450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050CC450 mov eax, dword ptr fs:[00000030h]19_2_050CC450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505746D mov eax, dword ptr fs:[00000030h]19_2_0505746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B477 mov eax, dword ptr fs:[00000030h]19_2_0505B477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506AC7B mov eax, dword ptr fs:[00000030h]19_2_0506AC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F4496 mov eax, dword ptr fs:[00000030h]19_2_050F4496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504849B mov eax, dword ptr fs:[00000030h]19_2_0504849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05108CD6 mov eax, dword ptr fs:[00000030h]19_2_05108CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F14FB mov eax, dword ptr fs:[00000030h]19_2_050F14FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6CF0 mov eax, dword ptr fs:[00000030h]19_2_050B6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6CF0 mov eax, dword ptr fs:[00000030h]19_2_050B6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B6CF0 mov eax, dword ptr fs:[00000030h]19_2_050B6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A70E mov eax, dword ptr fs:[00000030h]19_2_0506A70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A70E mov eax, dword ptr fs:[00000030h]19_2_0506A70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505F716 mov eax, dword ptr fs:[00000030h]19_2_0505F716
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050CFF10 mov eax, dword ptr fs:[00000030h]19_2_050CFF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050CFF10 mov eax, dword ptr fs:[00000030h]19_2_050CFF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510070D mov eax, dword ptr fs:[00000030h]19_2_0510070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0510070D mov eax, dword ptr fs:[00000030h]19_2_0510070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05034F2E mov eax, dword ptr fs:[00000030h]19_2_05034F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05034F2E mov eax, dword ptr fs:[00000030h]19_2_05034F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506E730 mov eax, dword ptr fs:[00000030h]19_2_0506E730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B73D mov eax, dword ptr fs:[00000030h]19_2_0505B73D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B73D mov eax, dword ptr fs:[00000030h]19_2_0505B73D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504EF40 mov eax, dword ptr fs:[00000030h]19_2_0504EF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504FF60 mov eax, dword ptr fs:[00000030h]19_2_0504FF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05108F6A mov eax, dword ptr fs:[00000030h]19_2_05108F6A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05048794 mov eax, dword ptr fs:[00000030h]19_2_05048794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7794 mov eax, dword ptr fs:[00000030h]19_2_050B7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7794 mov eax, dword ptr fs:[00000030h]19_2_050B7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7794 mov eax, dword ptr fs:[00000030h]19_2_050B7794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050737F5 mov eax, dword ptr fs:[00000030h]19_2_050737F5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503C600 mov eax, dword ptr fs:[00000030h]19_2_0503C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503C600 mov eax, dword ptr fs:[00000030h]19_2_0503C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503C600 mov eax, dword ptr fs:[00000030h]19_2_0503C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05068E00 mov eax, dword ptr fs:[00000030h]19_2_05068E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F1608 mov eax, dword ptr fs:[00000030h]19_2_050F1608
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A61C mov eax, dword ptr fs:[00000030h]19_2_0506A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A61C mov eax, dword ptr fs:[00000030h]19_2_0506A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503E620 mov eax, dword ptr fs:[00000030h]19_2_0503E620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050EFE3F mov eax, dword ptr fs:[00000030h]19_2_050EFE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05047E41 mov eax, dword ptr fs:[00000030h]19_2_05047E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FAE44 mov eax, dword ptr fs:[00000030h]19_2_050FAE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050FAE44 mov eax, dword ptr fs:[00000030h]19_2_050FAE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0504766D mov eax, dword ptr fs:[00000030h]19_2_0504766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AE73 mov eax, dword ptr fs:[00000030h]19_2_0505AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AE73 mov eax, dword ptr fs:[00000030h]19_2_0505AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AE73 mov eax, dword ptr fs:[00000030h]19_2_0505AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AE73 mov eax, dword ptr fs:[00000030h]19_2_0505AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505AE73 mov eax, dword ptr fs:[00000030h]19_2_0505AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050CFE87 mov eax, dword ptr fs:[00000030h]19_2_050CFE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B46A7 mov eax, dword ptr fs:[00000030h]19_2_050B46A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05100EA5 mov eax, dword ptr fs:[00000030h]19_2_05100EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05100EA5 mov eax, dword ptr fs:[00000030h]19_2_05100EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05100EA5 mov eax, dword ptr fs:[00000030h]19_2_05100EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05078EC7 mov eax, dword ptr fs:[00000030h]19_2_05078EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05108ED6 mov eax, dword ptr fs:[00000030h]19_2_05108ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050636CC mov eax, dword ptr fs:[00000030h]19_2_050636CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050EFEC0 mov eax, dword ptr fs:[00000030h]19_2_050EFEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050616E0 mov ecx, dword ptr fs:[00000030h]19_2_050616E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050476E2 mov eax, dword ptr fs:[00000030h]19_2_050476E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05039100 mov eax, dword ptr fs:[00000030h]19_2_05039100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05039100 mov eax, dword ptr fs:[00000030h]19_2_05039100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05039100 mov eax, dword ptr fs:[00000030h]19_2_05039100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05054120 mov eax, dword ptr fs:[00000030h]19_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05054120 mov eax, dword ptr fs:[00000030h]19_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05054120 mov eax, dword ptr fs:[00000030h]19_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05054120 mov eax, dword ptr fs:[00000030h]19_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05054120 mov ecx, dword ptr fs:[00000030h]19_2_05054120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506513A mov eax, dword ptr fs:[00000030h]19_2_0506513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506513A mov eax, dword ptr fs:[00000030h]19_2_0506513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B944 mov eax, dword ptr fs:[00000030h]19_2_0505B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505B944 mov eax, dword ptr fs:[00000030h]19_2_0505B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503C962 mov eax, dword ptr fs:[00000030h]19_2_0503C962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503B171 mov eax, dword ptr fs:[00000030h]19_2_0503B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503B171 mov eax, dword ptr fs:[00000030h]19_2_0503B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506A185 mov eax, dword ptr fs:[00000030h]19_2_0506A185
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0505C182 mov eax, dword ptr fs:[00000030h]19_2_0505C182
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05062990 mov eax, dword ptr fs:[00000030h]19_2_05062990
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050661A0 mov eax, dword ptr fs:[00000030h]19_2_050661A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050661A0 mov eax, dword ptr fs:[00000030h]19_2_050661A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F49A4 mov eax, dword ptr fs:[00000030h]19_2_050F49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F49A4 mov eax, dword ptr fs:[00000030h]19_2_050F49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F49A4 mov eax, dword ptr fs:[00000030h]19_2_050F49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050F49A4 mov eax, dword ptr fs:[00000030h]19_2_050F49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B69A6 mov eax, dword ptr fs:[00000030h]19_2_050B69A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B51BE mov eax, dword ptr fs:[00000030h]19_2_050B51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B51BE mov eax, dword ptr fs:[00000030h]19_2_050B51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B51BE mov eax, dword ptr fs:[00000030h]19_2_050B51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B51BE mov eax, dword ptr fs:[00000030h]19_2_050B51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov eax, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov eax, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov eax, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov ecx, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050599BF mov eax, dword ptr fs:[00000030h]19_2_050599BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503B1E1 mov eax, dword ptr fs:[00000030h]19_2_0503B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503B1E1 mov eax, dword ptr fs:[00000030h]19_2_0503B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0503B1E1 mov eax, dword ptr fs:[00000030h]19_2_0503B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050C41E8 mov eax, dword ptr fs:[00000030h]19_2_050C41E8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05104015 mov eax, dword ptr fs:[00000030h]19_2_05104015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_05104015 mov eax, dword ptr fs:[00000030h]19_2_05104015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7016 mov eax, dword ptr fs:[00000030h]19_2_050B7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7016 mov eax, dword ptr fs:[00000030h]19_2_050B7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_050B7016 mov eax, dword ptr fs:[00000030h]19_2_050B7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 19_2_0506002D mov eax, dword ptr fs:[00000030h]19_2_0506002D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.1220.18568.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          bar