Play interactive tour

Edit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	385455
MD5:	4bb710142c4fa183e24dbd3ce3c7b51d
SHA1:	64a659096deda60c37861ddc0d26d3bfb11cc0c7
SHA256:	4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO.exe (PID: 6856 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 4BB710142C4FA183E24DBD3CE3C7B51D)

AddInProcess32.exe (PID: 7140 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 6984 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 4488 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.retro-e-scooter.com/sawc/"], "decoy": ["prozedere.com", "p53mutation.net", "sidepiecebags.com", "5865145.com", "hushadianji.com", "riseses.com", "curvywahinemaui.com", "marienish.com", "tenxtimes.net", "xcusehheseje.com", "tjtradelimited.com", "mitraberdaya.com", "koedk.com", "currenibtc.com", "casa-rural-via.com", "prcodes.xyz", "brandariz.net", "mcsc.club", "curiget.xyz", "juli.world", "healingfory.com", "xuji68.com", "homartist.net", "acmetestanvils.com", "oaisdjoqwekxc.info", "wwwflixxy.com", "clickwisconsin.com", "magiqueweaves.com", "uox5.com", "boxj66.com", "yxcqi.com", "streaknews.com", "uorda.delivery", "milkflavor.xyz", "pandaning.com", "in-homeaccountants.com", "elblogdeyolie.com", "toughupshop.com", "sdubbink.com", "sentryinteract.com", "swpszx.com", "obsconth.site", "zhdplastic.com", "italia-re.com", "unsoldmelodies.com", "pciconsultings.com", "upliftgrp.com", "paraiso.info", "xyxrprt.com", "adanahabernet.com", "gopherguidance.com", "aengenheira.com", "myvegasboatparty.com", "abzarnovin.com", "atlantadomain.com", "sobukar.com", "directingandfilming.com", "cross23172.com", "harp-lily.com", "kentuckymeosnet.com", "wholesaletreenursery.com", "postmaster1.digital", "howtolistentomusiconline.com", "cqvckj.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f2c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30e50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x311ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14c3f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cefd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1472b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3c9e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14d41:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3cfff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14eb9:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3d177:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9944:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x31c02:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x139a6:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3bc64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa6bc:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3297a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19d31:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x41fef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1add4:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16c63:$sqlite3step: 68 34 1C 7B E1 0x16d76:$sqlite3step: 68 34 1C 7B E1 0x3ef21:$sqlite3step: 68 34 1C 7B E1 0x3f034:$sqlite3step: 68 34 1C 7B E1 0x16c92:$sqlite3text: 68 38 2A 90 C5 0x16db7:$sqlite3text: 68 38 2A 90 C5 0x3ef50:$sqlite3text: 68 38 2A 90 C5 0x3f075:$sqlite3text: 68 38 2A 90 C5 0x16ca5:$sqlite3blob: 68 53 D8 7F 8C 0x16dcd:$sqlite3blob: 68 53 D8 7F 8C 0x3ef63:$sqlite3blob: 68 53 D8 7F 8C 0x3f08b:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x31062:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x313fc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x59342:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x596dc:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x819ac:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3d10f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x653ef:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d6bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3cbfb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x64edb:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8d1ab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3d211:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x654f1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8d7c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3d389:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x65669:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8d939:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x31e14:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x5a0f4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x823c4:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3f133:$sqlite3step: 68 34 1C 7B E1 0x3f246:$sqlite3step: 68 34 1C 7B E1 0x67413:$sqlite3step: 68 34 1C 7B E1 0x67526:$sqlite3step: 68 34 1C 7B E1 0x8f6e3:$sqlite3step: 68 34 1C 7B E1 0x8f7f6:$sqlite3step: 68 34 1C 7B E1 0x3f162:$sqlite3text: 68 38 2A 90 C5 0x3f287:$sqlite3text: 68 38 2A 90 C5 0x67442:$sqlite3text: 68 38 2A 90 C5 0x67567:$sqlite3text: 68 38 2A 90 C5 0x8f712:$sqlite3text: 68 38 2A 90 C5 0x8f837:$sqlite3text: 68 38 2A 90 C5 0x3f175:$sqlite3blob: 68 53 D8 7F 8C 0x3f29d:$sqlite3blob: 68 53 D8 7F 8C 0x67455:$sqlite3blob: 68 53 D8 7F 8C 0x6757d:$sqlite3blob: 68 53 D8 7F 8C 0x8f725:$sqlite3blob: 68 53 D8 7F 8C 0x8f84d:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7eb0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x824a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13f5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13a49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1405f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x141d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8c62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12cc4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x99da:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1904f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a0f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15f81:$sqlite3step: 68 34 1C 7B E1 0x16094:$sqlite3step: 68 34 1C 7B E1 0x15fb0:$sqlite3text: 68 38 2A 90 C5 0x160d5:$sqlite3text: 68 38 2A 90 C5 0x15fc3:$sqlite3blob: 68 53 D8 7F 8C 0x160eb:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.AddInProcess32.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.retro-e-scooter.com/sawc/"], "decoy": ["prozedere.com", "p53mutation.net", "sidepiecebags.com", "5865145.com", "hushadianji.com", "riseses.com", "curvywahinemaui.com", "marienish.com", "tenxtimes.net", "xcusehheseje.com", "tjtradelimited.com", "mitraberdaya.com", "koedk.com", "currenibtc.com", "casa-rural-via.com", "prcodes.xyz", "brandariz.net", "mcsc.club", "curiget.xyz", "juli.world", "healingfory.com", "xuji68.com", "homartist.net", "acmetestanvils.com", "oaisdjoqwekxc.info", "wwwflixxy.com", "clickwisconsin.com", "magiqueweaves.com", "uox5.com", "boxj66.com", "yxcqi.com", "streaknews.com", "uorda.delivery", "milkflavor.xyz", "pandaning.com", "in-homeaccountants.com", "elblogdeyolie.com", "toughupshop.com", "sdubbink.com", "sentryinteract.com", "swpszx.com", "obsconth.site", "zhdplastic.com", "italia-re.com", "unsoldmelodies.com", "pciconsultings.com", "upliftgrp.com", "paraiso.info", "xyxrprt.com", "adanahabernet.com", "gopherguidance.com", "aengenheira.com", "myvegasboatparty.com", "abzarnovin.com", "atlantadomain.com", "sobukar.com", "directingandfilming.com", "cross23172.com", "harp-lily.com", "kentuckymeosnet.com", "wholesaletreenursery.com", "postmaster1.digital", "howtolistentomusiconline.com", "cqvckj.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO.exe	Virustotal: Detection: 39%			Perma Link
Source: PO.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: PO.exe

Joe Sandbox ML: detected

Source: 11.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.793729525.0000000001C2F000.00000040.00000001.sdmp, wlanext.exe, 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000002.792851636.0000000000FF2000.00000002.00020000.sdmp, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wlanext.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then jmp 05AC8410h
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-24h]
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-24h]
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-20h]
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then push dword ptr [ebp-20h]
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then xor edx, edx
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then xor edx, edx
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.retro-e-scooter.com/sawc/

Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1Host: www.marienish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1Host: www.wwwflixxy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1Host: www.adanahabernet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1Host: www.sidepiecebags.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1Host: www.mitraberdaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 81.17.18.197 81.17.18.197

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: ASRSINETRU ASRSINETRU
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: C:\Windows\explorer.exe

Code function: 15_2_04DCC302 getaddrinfo,setsockopt,recv,

Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1Host: www.marienish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1Host: www.wwwflixxy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1Host: www.adanahabernet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1Host: www.sidepiecebags.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1Host: www.mitraberdaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.marienish.com

Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp	String found in binary or memory: http://ns.d
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: PO.exe, 00000000.00000002.753579067.0000000002AB0000.00000004.00000001.sdmp, PO.exe, 00000000.00000002.753609790.0000000002AC7000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000F.00000000.754393079.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: wlanext.exe, 00000011.00000002.910661249.00000000033E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN

Source: C:\Windows\explorer.exe

Code function: 15_2_04DC5EB2 OpenClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Show sources

Source: PO.exe, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776
Source: 0.0.PO.exe.590000.0.unpack, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776
Source: 0.2.PO.exe.590000.0.unpack, Bq61/f1Y5.cs	Large array initialization: .cctor: array initializer size 4776

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181D0 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418280 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00418300 NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004183B0 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004181CA NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041827A NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004182CA NtClose,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_004183AA NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B798F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B795D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B797A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B799D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B798A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B795F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B796D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B79650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D996D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D995D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D998F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D998A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D999D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D997A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D995F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99560 NtWriteFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D99520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02848280 NtReadFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028483B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02848300 NtClose,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028481D0 NtCreateFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028482CA NtClose,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284827A NtReadFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028483AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_028481CA NtCreateFile,

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_0280FBF8 CreateProcessAsUserW,

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0280D690
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC6018
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC0040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC7B98
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE5F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC8428
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC8438
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE030
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC6008
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05ACE040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05AC2228
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0040102E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B89A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C46E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041C4F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B4A9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B4B6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041BF25
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B798
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00FF2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C028EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C020A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF03DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C022AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C025DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B30D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFD466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C02EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B56E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFD616
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC72FF
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC48F9
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC9062
Source: C:\Windows\explorer.exe	Code function: 15_2_04DCA7C7
Source: C:\Windows\explorer.exe	Code function: 15_2_04DCB5B2
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC5362
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC4902
Source: C:\Windows\explorer.exe	Code function: 15_2_04DC7302
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E222AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E103DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E228EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E220A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E2E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E11002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D76E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E2DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E225DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E22D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D50D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B798
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B4A9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B4B6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284C4F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02838C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832D88
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02832D90

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02D5B150 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 01B3B150 appears 72 times

Source: PO.exe	Binary or memory string: OriginalFilename vs PO.exe
Source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs PO.exe
Source: PO.exe, 00000000.00000002.762771390.00000000063C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO.exe
Source: PO.exe, 00000000.00000002.753647358.0000000002B31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs PO.exe
Source: PO.exe, 00000000.00000002.763604937.00000000066C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO.exe

Source: PO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@7/5

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO.exe	Virustotal: Detection: 39%
Source: PO.exe	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.793729525.0000000001C2F000.00000040.00000001.sdmp, wlanext.exe, 00000011.00000002.910088572.0000000002D30000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: PO.exe, 00000000.00000003.736056198.00000000067E6000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000002.792851636.0000000000FF2000.00000002.00020000.sdmp, wlanext.exe, 00000011.00000002.909296920.00000000003BD000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wlanext.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.793498300.0000000001900000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.770264469.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_00405915 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0040C2BE pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B3C5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B47C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B412 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041B41B push eax; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_0041555D push ss; ret
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B8D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DAD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0283C2BE pushfd ; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B3C5 push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02835915 push esi; iretd
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284CC92 pushfd ; iretd
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B412 push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B41B push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284B47C push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_0284555D push ss; ret

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Users\user\Desktop\PO.exe\:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000028385F4 second address: 00000000028385FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000283898E second address: 0000000002838994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\PO.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\PO.exe	Window / User API: threadDelayed 431
Source: C:\Users\user\Desktop\PO.exe	Window / User API: threadDelayed 9349

Source: C:\Users\user\Desktop\PO.exe TID: 7032	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\Desktop\PO.exe TID: 7092	Thread sleep count: 431 > 30
Source: C:\Users\user\Desktop\PO.exe TID: 7092	Thread sleep count: 9349 > 30
Source: C:\Users\user\Desktop\PO.exe TID: 7032	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\explorer.exe TID: 352	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\wlanext.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 30000

Source: explorer.exe, 0000000F.00000000.774873879.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000F.00000000.770654125.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.774873879.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000002.917614118.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000F.00000000.770052583.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Code function: 11_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_05AC25B0 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B599BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BC41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B54120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C01074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C05BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B53A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B48A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B7927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BC4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BE8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BBA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B57D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B73D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BE3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B48794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B34F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B34F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C0070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C08ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BB46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BCFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01C00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B78EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BEFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B68E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BF1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B4766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01B47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 11_2_01BFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DE4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D9927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D73A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D68A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E25BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E12073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E21074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DE41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D82990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D74120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D98EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E28ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DEFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02DD46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D6766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D88E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E0FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02E11608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D5E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 17_2_02D68794 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\PO.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 172.120.90.239 80
Source: C:\Windows\explorer.exe	Domain query: www.swpszx.com
Source: C:\Windows\explorer.exe	Domain query: www.mitraberdaya.com
Source: C:\Windows\explorer.exe	Network Connect: 5.181.216.112 80
Source: C:\Windows\explorer.exe	Network Connect: 88.198.220.232 80
Source: C:\Windows\explorer.exe	Domain query: www.marienish.com
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.197 80
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Domain query: www.adanahabernet.com
Source: C:\Windows\explorer.exe	Domain query: www.sidepiecebags.com
Source: C:\Windows\explorer.exe	Domain query: www.wwwflixxy.com

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 2A0000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 118B008

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'

Source: explorer.exe, 0000000F.00000000.752969986.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.753350365.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.910880399.0000000005390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000F.00000000.775024682.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection812	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection812	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Deobfuscate/Decode Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Obfuscated Files or Information3	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Software Packing1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.exe	40%	Virustotal		Browse
PO.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Wacatac
PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.adanahabernet.com	0%	Virustotal		Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ	0%	Avira URL Cloud	safe
http://www.adanahabernet.com/sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN	0%	Avira URL Cloud	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X	0%	Avira URL Cloud	safe
http://ns.d	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://www.wwwflixxy.com/sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X	0%	Avira URL Cloud	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sidepiecebags.com/sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.retro-e-scooter.com/sawc/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.adanahabernet.com	172.120.90.239	true	true	0%, Virustotal, Browse	unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
mitraberdaya.com	5.181.216.112	true	true		unknown
www.marienish.com	88.198.220.232	true	true		unknown
www.wwwflixxy.com	81.17.18.197	true	true		unknown
www.swpszx.com	unknown	unknown	true		unknown
www.sidepiecebags.com	unknown	unknown	true		unknown
www.mitraberdaya.com	unknown	unknown	true		unknown
www.oaisdjoqwekxc.info	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ	true	Avira URL Cloud: safe	unknown
http://www.adanahabernet.com/sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw	true	Avira URL Cloud: safe	unknown
http://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X	true	Avira URL Cloud: safe	unknown
http://www.wwwflixxy.com/sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X	true	Avira URL Cloud: safe	unknown
http://www.sidepiecebags.com/sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi	false	Avira URL Cloud: safe	unknown
www.retro-e-scooter.com/sawc/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN	wlanext.exe, 00000011.00000002.910661249.00000000033E2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.cobj	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.d	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://ns.adobe.c/g	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/WebPage	PO.exe, 00000000.00000002.753579067.0000000002AB0000.00000004.00000001.sdmp, PO.exe, 00000000.00000002.753609790.0000000002AC7000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 0000000F.00000000.754393079.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	PO.exe, 00000000.00000002.752842533.0000000000C41000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000000.00000002.753550210.0000000002A81000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 0000000F.00000000.775921775.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	PO.exe, 00000000.00000003.665827004.0000000006C9E000.00000004.00000001.sdmp, PO.exe, 00000000.00000003.744720624.0000000006CA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.120.90.239	www.adanahabernet.com	United States	18779	EGIHOSTINGUS	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
5.181.216.112	mitraberdaya.com	Germany	59637	ASRSINETRU	true
88.198.220.232	www.marienish.com	Germany	24940	HETZNER-ASDE	true
81.17.18.197	www.wwwflixxy.com	Switzerland	51852	PLI-ASCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385455
Start date:	12.04.2021
Start time:	14:41:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.5% (good quality ratio 9.3%) Quality average: 71.8% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 131.253.33.200, 13.107.22.200, 20.82.210.154, 92.122.145.220, 52.255.188.83, 172.217.168.68, 104.43.193.48, 20.50.102.62, 92.122.213.194, 92.122.213.247, 52.155.217.156, 2.20.142.210, 2.20.142.209, 13.88.21.125, 20.54.26.129, 104.42.151.234, 204.79.197.200, 13.107.21.200, 168.61.161.212 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:42:36	API Interceptor	205x Sleep call for process: PO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.17.18.197	New order.exe	Get hash	malicious	Browse	www.websturantstores.com/n30n/?GdIH=G/DzMx+d204CF5AP88QxeqS6sJNTz4LLrkYR9BUBvxQsmK0qcscpTEXEOebQ5Jlvr4pR&Ajn=6lNDphQHVxzXvzn0
	ba2Eq178BGXyW5T.exe	Get hash	malicious	Browse	www.creditccu.com/saeo/?VR-XC=+LK2db7d1C228uPLxd5ygJhrKKw4PmObcrVrj8h4try9Uk2AkyD+T0eEdOxWELiRHlqOhJ++0Q==&EzrLKJ=7nolpl80-0_l
	ARBmDNJS7m.exe	Get hash	malicious	Browse	www.thesahwfam.com/aqu2/?rPj0Qr6=5EjXvdr19C9mZVkY3fKTgvDOgP0S6WDmsKJe/OA2LcJULTMy4Vts0y1eMnfEeD++X6ym&tXrx=gdkpfvSpm
	bank details.exe	Get hash	malicious	Browse	www.websturantstores.com/n30n/?ofl4i=G/DzMx+d204CF5AP88QxeqS6sJNTz4LLrkYR9BUBvxQsmK0qcscpTEXEOd3Al45UsNAAJIiFew==&1bj=3fb4MJahNHJTdZ
	MV Sky Marine_pdf.exe	Get hash	malicious	Browse	www.maggionaossurvey.com/m2be/?t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw/e4QxTLjn1ka96YHmJ+nuPWA19CGBx9&1bYxT=mTfpcdW
	Fully Executed Contract.xlsx	Get hash	malicious	Browse	www.moivimghelp.com/3ueg/?cFN=M2dMggRa+qWs+54KRtLORvUVTY3BOmPoqQphpI9D42oERes0GK1zt/GfhBnBSuZgn3IDVw==&PBU=dpg8g
	orii11.exe	Get hash	malicious	Browse	www.coolsymblo.com/mdi/?8pp=NaWvyIyy6QtsmFQzCOhmEvnUVIUE4plx5JQMET6U2PY7MLGNGTu8WAtHnoy0dEU0LGP5&sZCx=1bYdfPf8ef5pjPm
	PO 20211602.xlsm	Get hash	malicious	Browse	www.amazoncereer.com/idir/?ndy0WrQ=MuSSFaLFnaMdG5ibhe0jYYgED5+p3qyI7K0s64CtauJfWqjMgz6S47xVu4TyimxOQR+o&pN=EXs8wvhx9TEL
	QUOTATION REQUEST_0000564.xlsx	Get hash	malicious	Browse	www.evalinkapuppets.com/wgn/?BL=yzrxAV8xG&3ftx=jh72N97QMkwfO2d3KYrqs0yYsyG8v2l7CsNzN+j5IlsYV6bX9tr3/MROXW68KV2j/aiHNw==
	2WiiGHszyC.exe	Get hash	malicious	Browse	www.lakeviewbarbershonola.com/gqx2/?6l=Ie6QWhcnBKw0CGg1XJOkUi0EQjBhFk91sVnWxFvJgDqo9wqAijnneb/Qtq5IK98OLw5iavE1Ug==&2dB=2dkhLvNpOPY4xHI
	Mv Tiger Flame.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?2dL=7nU0-8b&mrj830Qp=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.stonescapes1.com/de92/?AjR=9r4L1&FdC4E2D=FMDFc6rLlu1wjKmkr6r3BpbflKlZCzzEN16L5n5vdoOueqP/ceb71sNk2mpWEx2I2yJYLkA5Ng==
	BSL 21 PYT.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?3fy=ixoxnF3htbYD4&MBZ84N=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	cap.exe	Get hash	malicious	Browse	www.19studies.com/llp/?1b8xixO=W1JrZVtpqksa30DvZh28hoNS2Q7wajXPDOYu4PqWibNCQENdzEfDU2VKEwSNgVf8dnqp&k2Jdyb=fDHXWLx0Sx
	http://gmai.com	Get hash	malicious	Browse	gmai.com/
	oqTdpbN5rF.exe	Get hash	malicious	Browse	www.bikininbodymommy.com/kgw/?NTlTsb=o2J8lThHmJUlqtc0&0V0hlT=nwMujlop9k/e7RKxDV6F2DOpfZu+NAvKA+XHz2bBew91D/bKU35KPyupQFDW23mxRXA2
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	www.finerfinishdetailing.com/ihm3/?sBZ4lrK=MVHj8NpKUi/kGq2WqPWtWe1kfEepi50iLMi17zPtoBo45+X1i5KOEOTiX88XpshQg/Q0Y5LK0A==&FPcT7b=djCDfFRXOP7H
	http://myyaccountnow.com	Get hash	malicious	Browse	myyaccountnow.com/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYwNTcwMTU5NiwiaWF0IjoxNjA1Njk0Mzk2LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycDQ5NTJ0dGQxMDMwZnR0cDAxZWxubTUiLCJuYmYiOjE2MDU2OTQzOTYsInRzIjoxNjA1Njk0Mzk2MDMzMTIwfQ.qFDQ8y0csGQT92fLLCPmRXUt_UrqrT-zHf2KaXfP-u0&sid=ac6e8996-2986-11eb-b228-d22dece2e20a
	SHIPMENT DOCUMENT.xlsx	Get hash	malicious	Browse	www.0rdergreatcourses.com/tlu/?ebc8=E2JdjN_822M&Kpjp=2k86lJNvHQKwDeUOqSMVod6dwHgOLn8Zxtyr2GR3VPN3S1v7/B94SfkTMW/EDa2JnIoDVA==
	PI210941.exe	Get hash	malicious	Browse	www.1stsibs.com/t4vo/?o2J=2GWkw3XktBIuKu1KSFtried+VROsZF7cAlDwF3yw8T8b5m0lJCV39rV8wy2v/JxKv+u9&4h0=vZR8DbS8Z4yXah

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASRSINETRU	SwiftMT103.xlsx	Get hash	malicious	Browse	5.181.216.106
	PO4308.exe	Get hash	malicious	Browse	5.181.216.83
	ORIGINAL SHIPPING DOCUMENTSPDF.exe	Get hash	malicious	Browse	5.181.216.71
	POWPO-201209-248-INV10981-PI100833-Waycos20210225.xlsx	Get hash	malicious	Browse	5.181.218.13
	BUNKRequsition_Mar 2021.xlsx	Get hash	malicious	Browse	5.181.218.13
	RPI_Scanned_30957.doc	Get hash	malicious	Browse	5.181.216.140
	61vPFITGkbgCrMT.exe	Get hash	malicious	Browse	5.181.218.55
	6tivtkKtQx.exe	Get hash	malicious	Browse	5.181.216.100
	v07PSzmSp9.exe	Get hash	malicious	Browse	5.181.216.100
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	5.181.218.55
	invoice 2021.xlsx	Get hash	malicious	Browse	5.181.216.120
	worked.exe	Get hash	malicious	Browse	5.181.216.120
	VCS58GQMhuCYghC.exe	Get hash	malicious	Browse	5.181.218.55
	3KvCNpcQ6tvwKr5.exe	Get hash	malicious	Browse	5.181.218.55
	xPkiX7vwNVqQf9I.exe	Get hash	malicious	Browse	5.181.216.115
	Y75vU558UfuGbzM.exe	Get hash	malicious	Browse	5.181.218.55
	5YfNeXk1f0wrxXm.exe	Get hash	malicious	Browse	5.181.218.55
	t1XJOlYvhExZyrm.exe	Get hash	malicious	Browse	5.181.218.55
	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	5.181.218.55
	FtLroeD5Kmr6rNC.exe	Get hash	malicious	Browse	5.181.216.115
HETZNER-ASDE	Anmodning om tilbud 12-04-2021#U00b7pdf.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Trojan.Packed.24465.17731.exe	Get hash	malicious	Browse	148.251.48.16
	SecuriteInfo.com.Trojan.Packed.24465.12290.exe	Get hash	malicious	Browse	148.251.48.16
	SecuriteInfo.com.Trojan.Packed.24465.2847.exe	Get hash	malicious	Browse	148.251.48.16
	Bank Details.xlsx	Get hash	malicious	Browse	144.76.242.196
	R496CkgPqa.exe	Get hash	malicious	Browse	195.201.225.248
	qTlPus8IDT.exe	Get hash	malicious	Browse	195.201.225.248
	phantom.exe	Get hash	malicious	Browse	195.201.225.248
	output(1).exe	Get hash	malicious	Browse	95.216.186.40
	C++ Dropper.exe	Get hash	malicious	Browse	88.99.66.31
	rGnw6yNeQi.exe	Get hash	malicious	Browse	195.201.225.248
	89BA6CA01979A51DD5E8FEE7D80E8D69322531BA35775.exe	Get hash	malicious	Browse	136.243.104.235
	IJht2pqbVh.exe	Get hash	malicious	Browse	88.99.66.31
	tdGFhgEQeh.exe	Get hash	malicious	Browse	195.201.225.248
	rnd382WXs3.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.W32.AIDetect.malware1.19715.exe	Get hash	malicious	Browse	195.201.225.248
	toolspab2.exe	Get hash	malicious	Browse	195.201.225.248
	p96tm6y3yo.exe	Get hash	malicious	Browse	116.203.98.215
	gePWRo7op0.exe	Get hash	malicious	Browse	195.201.225.248
	u0r63PfgIe.exe	Get hash	malicious	Browse	195.201.225.248
EGIHOSTINGUS	Contract Agreement.exe	Get hash	malicious	Browse	142.111.179.147
	s6G3ZtvHZg.exe	Get hash	malicious	Browse	142.111.76.118
	g2qwgG2xbe.exe	Get hash	malicious	Browse	142.111.47.2
	winlog.exe	Get hash	malicious	Browse	104.252.75.179
	1ucvVfbHnD.exe	Get hash	malicious	Browse	142.111.47.2
	PO#560.zip.exe	Get hash	malicious	Browse	50.118.194.26
	PO4308.exe	Get hash	malicious	Browse	104.164.33.210
	PO7321.exe	Get hash	malicious	Browse	104.164.33.210
	SAKKAB QUOTATION_REQUEST.exe	Get hash	malicious	Browse	107.164.194.71
	RFQ-V-SAM-0321D056-DOC.exe	Get hash	malicious	Browse	104.252.75.179
	RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe	Get hash	malicious	Browse	107.165.116.66
	Request an Estimate_2021_04_01.exe	Get hash	malicious	Browse	107.186.223.220
	PO PL.exe	Get hash	malicious	Browse	107.186.125.46
	PO#7689.zip.exe	Get hash	malicious	Browse	50.118.194.26
	2021-04-01.exe	Get hash	malicious	Browse	107.186.80.12
	PI.exe	Get hash	malicious	Browse	104.252.75.130
	Inquiry.docx	Get hash	malicious	Browse	50.118.194.27
	BL Draft copy.exe	Get hash	malicious	Browse	107.186.80.9
	g0g865fQ2S.exe	Get hash	malicious	Browse	142.111.47.2
	FTT103634332.exe	Get hash	malicious	Browse	50.117.53.247

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Payment Advice.jpg.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	PO_6620200947535257661_Arabico.PDF.exe	Get hash	malicious	Browse
	Khay11iwV6.exe	Get hash	malicious	Browse
	OrderRequest29032021_BituChemLtd.exe	Get hash	malicious	Browse
	CL746713-6231150.exe	Get hash	malicious	Browse
	QG8y26K6ef.exe	Get hash	malicious	Browse
	DOC8743340924789.exe	Get hash	malicious	Browse
	PO_6620200947535257659_Arabico.PDF.exe	Get hash	malicious	Browse
	DARWISH TRADING PROFILE copy.exe	Get hash	malicious	Browse
	RFQ_38463846393646388368364834.exe	Get hash	malicious	Browse
	Company profile.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	Doc_3847468364836483638463,pdf.exe	Get hash	malicious	Browse
	J3RZHj0FIu.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen2.61833.4196.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.exe	Get hash	malicious	Browse
	Done.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.45865428.31596.exe	Get hash	malicious	Browse
	Shipping _doc_pdf scan 0094775885895.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1402
Entropy (8bit):	5.338819835253785
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoe
MD5:	1B32E71ED0326337C6593D13A55E54F4
SHA1:	0452CD9E26B6C35A3D186FD6DDB1B3365AFDB16C
SHA-256:	047E61E1F57F4922CA346203710E828859BB61800D9A72C2E64092EBB218CCA8
SHA-512:	1B5BF6D43F14FFEC6A58366222F606CB9EA1781E9E4A7E6F340E9982DD82F296ACA693EA94105F78705C01D254A7B7897050C7289CC942122C7B83221CC15DAA
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Payment Advice.jpg.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: PO_6620200947535257661_Arabico.PDF.exe, Detection: malicious, Browse Filename: Khay11iwV6.exe, Detection: malicious, Browse Filename: OrderRequest29032021_BituChemLtd.exe, Detection: malicious, Browse Filename: CL746713-6231150.exe, Detection: malicious, Browse Filename: QG8y26K6ef.exe, Detection: malicious, Browse Filename: DOC8743340924789.exe, Detection: malicious, Browse Filename: PO_6620200947535257659_Arabico.PDF.exe, Detection: malicious, Browse Filename: DARWISH TRADING PROFILE copy.exe, Detection: malicious, Browse Filename: RFQ_38463846393646388368364834.exe, Detection: malicious, Browse Filename: Company profile.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: Doc_3847468364836483638463,pdf.exe, Detection: malicious, Browse Filename: J3RZHj0FIu.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen2.61833.4196.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.exe, Detection: malicious, Browse Filename: Done.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.45865428.31596.exe, Detection: malicious, Browse Filename: Shipping _doc_pdf scan 0094775885895.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.76217978174977
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO.exe
File size:	542208
MD5:	4bb710142c4fa183e24dbd3ce3c7b51d
SHA1:	64a659096deda60c37861ddc0d26d3bfb11cc0c7
SHA256:	4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
SHA512:	7b157763a01bcfba0a66d026af138209a2b3fccd955e789158d39a5e4738491f8146c1894aceabae42e7e064b02314f098ea52351dcbd2f66feed2b8ee6acc35
SSDEEP:	12288:laRZszqqB3PQhPp5owXoJSq5Qbxn09z2Oe:tzqIgfobC909S
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m....................:...........X... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4858ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x13C6926D [Mon Jul 7 01:18:37 1980 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x858a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x612	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x838f4	0x83a00	False	0.643192070275	data	6.77669868061	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x612	0x800	False	0.349609375	data	3.63882954088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x860a0	0x388	data
RT_MANIFEST	0x86428	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 =B3E94;GD4HDE2>7?E=?9<IG
Assembly Version	1.0.0.0
InternalName	PO.exe
FileVersion	9.14.18.23
CompanyName	=B3E94;GD4HDE2>7?E=?9<IG
Comments	@5<?5677JAJ46=E=
ProductName	44J43IA<E7EF<:<J4
ProductVersion	9.14.18.23
FileDescription	44J43IA<E7EF<:<J4
OriginalFilename	PO.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:44:01.719662905 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.788974047 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.792118073 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.792294979 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.859123945 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859483957 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859602928 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:01.859725952 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.859812975 CEST	49757	80	192.168.2.4	88.198.220.232
Apr 12, 2021 14:44:01.926632881 CEST	80	49757	88.198.220.232	192.168.2.4
Apr 12, 2021 14:44:06.965579033 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.016638994 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.016875029 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.017080069 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.069204092 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.083889961 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.084017992 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:07.084131956 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.084167004 CEST	49759	80	192.168.2.4	81.17.18.197
Apr 12, 2021 14:44:07.134614944 CEST	80	49759	81.17.18.197	192.168.2.4
Apr 12, 2021 14:44:12.321546078 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.522766113 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.522927046 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.523111105 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727207899 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727238894 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727257013 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727279902 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727292061 CEST	80	49763	172.120.90.239	192.168.2.4
Apr 12, 2021 14:44:12.727500916 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727546930 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:12.727669001 CEST	49763	80	192.168.2.4	172.120.90.239
Apr 12, 2021 14:44:22.947943926 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.013540983 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.013648987 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.013834000 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.079365969 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112587929 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112617016 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:23.112770081 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.112869024 CEST	49764	80	192.168.2.4	35.246.6.109
Apr 12, 2021 14:44:23.179826021 CEST	80	49764	35.246.6.109	192.168.2.4
Apr 12, 2021 14:44:28.537760019 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.738585949 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:28.738795042 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.738830090 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:28.939632893 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.249324083 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:29.489649057 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873827934 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873862028 CEST	80	49765	5.181.216.112	192.168.2.4
Apr 12, 2021 14:44:29.873955965 CEST	49765	80	192.168.2.4	5.181.216.112
Apr 12, 2021 14:44:29.873981953 CEST	49765	80	192.168.2.4	5.181.216.112

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:42:18.326673031 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.341506958 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.375377893 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:18.375395060 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:18.415648937 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:18.426920891 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:21.305354118 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:21.365734100 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:22.303026915 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:22.351854086 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.158451080 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.215617895 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.654678106 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.726892948 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:27.741704941 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:27.798748970 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:38.399488926 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:38.461764097 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:52.658833027 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:52.710298061 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 14:42:59.883271933 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:42:59.944680929 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:10.069865942 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:10.118788958 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.428188086 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.493645906 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.638102055 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.700251102 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:13.858711004 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:13.918509007 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:15.781455040 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:15.845271111 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:16.089979887 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:16.139188051 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:16.448321104 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:16.507122040 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.066649914 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.121779919 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.383078098 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.450237989 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:17.815967083 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:17.873720884 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:18.535752058 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:18.593535900 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:19.386559963 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:19.443630934 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:20.553845882 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:20.604923964 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:21.973670006 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:22.033448935 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:22.902383089 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:22.957165956 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:30.012734890 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:30.071494102 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:41.008186102 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:41.057065010 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:49.759149075 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:49.807861090 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:57.420022011 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:57.471882105 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:58.524750948 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:58.576957941 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 12, 2021 14:43:59.734992027 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:43:59.788009882 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:00.816592932 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:00.884073973 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:01.390639067 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:01.439263105 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:01.632924080 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:01.708024025 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:04.046782017 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:04.095602989 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:06.877645969 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:06.964396000 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:07.563872099 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:07.612555981 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:08.601608992 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:08.650274992 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:09.655905008 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:09.706682920 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:12.095752001 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:12.318901062 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:17.759136915 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:17.845458031 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:22.862821102 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:22.946855068 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:28.138525009 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:28.536580086 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 12, 2021 14:44:34.270891905 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:44:34.368071079 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 14:44:01.632924080 CEST	192.168.2.4	8.8.8.8	0x8f05	Standard query (0)	www.marienish.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:06.877645969 CEST	192.168.2.4	8.8.8.8	0xbff7	Standard query (0)	www.wwwflixxy.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:12.095752001 CEST	192.168.2.4	8.8.8.8	0xb138	Standard query (0)	www.adanahabernet.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:17.759136915 CEST	192.168.2.4	8.8.8.8	0x2340	Standard query (0)	www.swpszx.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:22.862821102 CEST	192.168.2.4	8.8.8.8	0x617e	Standard query (0)	www.sidepiecebags.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:28.138525009 CEST	192.168.2.4	8.8.8.8	0x376e	Standard query (0)	www.mitraberdaya.com	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:34.270891905 CEST	192.168.2.4	8.8.8.8	0x6ec8	Standard query (0)	www.oaisdjoqwekxc.info	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 14:44:01.708024025 CEST	8.8.8.8	192.168.2.4	0x8f05	No error (0)	www.marienish.com		88.198.220.232	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:06.964396000 CEST	8.8.8.8	192.168.2.4	0xbff7	No error (0)	www.wwwflixxy.com		81.17.18.197	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:12.318901062 CEST	8.8.8.8	192.168.2.4	0xb138	No error (0)	www.adanahabernet.com		172.120.90.239	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:17.845458031 CEST	8.8.8.8	192.168.2.4	0x2340	Name error (3)	www.swpszx.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	www.sidepiecebags.com	www10.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	www10.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:22.946855068 CEST	8.8.8.8	192.168.2.4	0x617e	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:28.536580086 CEST	8.8.8.8	192.168.2.4	0x376e	No error (0)	www.mitraberdaya.com	mitraberdaya.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:44:28.536580086 CEST	8.8.8.8	192.168.2.4	0x376e	No error (0)	mitraberdaya.com		5.181.216.112	A (IP address)	IN (0x0001)
Apr 12, 2021 14:44:34.368071079 CEST	8.8.8.8	192.168.2.4	0x6ec8	Name error (3)	www.oaisdjoqwekxc.info	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.marienish.com

www.wwwflixxy.com

www.adanahabernet.com

www.sidepiecebags.com

www.mitraberdaya.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49757	88.198.220.232	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:01.792294979 CEST	6356	OUT	GET /sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ HTTP/1.1 Host: www.marienish.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:01.859483957 CEST	6356	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 12 Apr 2021 12:44:01 GMT Server: Apache Location: https://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ Content-Length: 393 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 61 72 69 65 6e 69 73 68 2e 63 6f 6d 2f 73 61 77 63 2f 3f 6c 66 3d 43 5a 36 58 26 61 6d 70 3b 6e 4e 36 30 6d 3d 59 74 33 32 7a 35 33 30 65 32 74 49 54 63 4f 45 57 35 53 56 48 62 35 79 72 49 45 4c 6f 6a 44 67 37 2b 46 67 49 35 2f 5a 54 4b 37 36 47 75 6f 50 4c 67 59 75 56 6d 64 38 72 4c 65 61 70 62 4f 71 65 58 52 51 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 72 69 65 6e 69 73 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.marienish.com/sawc/?lf=CZ6X&nN60m=Yt32z530e2tITcOEW5SVHb5yrIELojDg7+FgI5/ZTK76GuoPLgYuVmd8rLeapbOqeXRQ">here</a>.</p><hr><address>Apache Server at www.marienish.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49759	81.17.18.197	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:07.017080069 CEST	6368	OUT	GET /sawc/?nN60m=oHoe0+b7kBAmda/0Hio/bDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&lf=CZ6X HTTP/1.1 Host: www.wwwflixxy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:07.083889961 CEST	6369	IN	HTTP/1.1 200 OK cache-control: max-age=0, private, must-revalidate connection: close content-length: 565 content-type: text/html; charset=utf-8 date: Mon, 12 Apr 2021 12:44:06 GMT server: nginx set-cookie: sid=c52b47e4-9b8c-11eb-89fd-2dd5e54b280f; path=/; domain=.wwwflixxy.com; expires=Sat, 30 Apr 2089 15:58:14 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 77 77 66 6c 69 78 78 79 2e 63 6f 6d 2f 73 61 77 63 2f 3f 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4f 44 49 7a 4f 44 59 30 4e 79 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 34 4d 6a 4d 78 4e 44 51 33 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 48 46 6f 63 48 4a 69 4e 7a 4a 78 64 6a 42 77 5a 33 59 33 5a 6e 4d 78 4f 57 46 6c 4e 6d 59 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 67 79 4d 7a 45 30 4e 44 63 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 34 4d 6a 4d 78 4e 44 51 33 4d 44 63 78 4f 44 51 30 66 51 2e 64 6c 72 51 6a 76 73 67 79 66 5a 38 30 42 6f 7a 73 51 43 72 6a 2d 53 77 47 4f 39 71 6c 6a 5f 58 55 54 6c 4e 34 34 52 41 35 4b 34 26 6c 66 3d 43 5a 36 58 26 6e 4e 36 30 6d 3d 6f 48 6f 65 30 2b 62 37 6b 42 41 6d 64 61 25 32 46 30 48 69 6f 25 32 46 62 44 52 6c 50 75 66 6f 4d 71 63 79 75 51 4d 75 41 48 65 48 31 54 53 4d 53 39 38 62 51 53 6a 45 65 57 50 48 76 51 30 34 33 4c 39 53 59 4e 62 4c 26 73 69 64 3d 63 35 32 62 34 37 65 34 2d 39 62 38 63 2d 31 31 65 62 2d 38 39 66 64 2d 32 64 64 35 65 35 34 62 32 38 30 66 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.wwwflixxy.com/sawc/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxODIzODY0NywiaWF0IjoxNjE4MjMxNDQ3LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycHFocHJiNzJxdjBwZ3Y3ZnMxOWFlNmYiLCJuYmYiOjE2MTgyMzE0NDcsInRzIjoxNjE4MjMxNDQ3MDcxODQ0fQ.dlrQjvsgyfZ80BozsQCrj-SwGO9qlj_XUTlN44RA5K4&lf=CZ6X&nN60m=oHoe0+b7kBAmda%2F0Hio%2FbDRlPufoMqcyuQMuAHeH1TSMS98bQSjEeWPHvQ043L9SYNbL&sid=c52b47e4-9b8c-11eb-89fd-2dd5e54b280f');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49763	172.120.90.239	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:12.523111105 CEST	6408	OUT	GET /sawc/?lf=CZ6X&nN60m=LtE+xZw49qZxNGHwe/5duJoxTMG7p0RZVZ9/xidjWtVQjRXR0IRVZ3163NMz7MOSj/bw HTTP/1.1 Host: www.adanahabernet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:12.727207899 CEST	6409	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Mon, 12 Apr 2021 12:44:11 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49764	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:23.013834000 CEST	6415	OUT	GET /sawc/?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43/2+iRXsYUADi HTTP/1.1 Host: www.sidepiecebags.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:23.112587929 CEST	6416	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 12 Apr 2021 12:44:23 GMT Content-Length: 0 Connection: close location: https://www.sidepiecebags.com/sawc?lf=CZ6X&nN60m=tBYTJLloxChiPW5nd8ZkTRTjZAEjhK8ruaBpTwz2qB9ROPU5gMN3GO43%2F2+iRXsYUADi strict-transport-security: max-age=120 x-wix-request-id: 1618231463.06595580458311231 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjiVMoGgJZPyIJpdYBUTBrV,qquldgcFrj2n046g4RNSVO38E53VHF73OUfaaLx5QS1YgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalkmuQylsJA3V7E3glv1YWYkVHNk5u2d09JBfuIudoiNFGgqFbFMYwiXnFojPwdof6Is93w6LXo3u2avFp3+sQqQ=,2UNV7KOq4oGjA5+PKsX47HMD3XjoxaKbTYcffYmebS0=,sqmudy1rWy5CXemzdhzS/DvShABuJSyPlI0TjoOmnGJNG+KuK+VIZfbNzHJu0vJu,WHOG0+z0OllpcvLoF6CtMKCiVg5TzCetmiVmxYEc1wjcxUjJ8rpSPv59B752oTh6hyBvImev6xi3GuPfdt7N/g== Cache-Control: no-cache Server: Pepyaka/1.19.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49765	5.181.216.112	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:44:28.738830090 CEST	6417	OUT	GET /sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X HTTP/1.1 Host: www.mitraberdaya.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:44:29.873827934 CEST	6417	IN	HTTP/1.1 301 Moved Permanently Connection: close X-Powered-By: PHP/7.4.16 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.mitraberdaya.com/sawc/?nN60m=ZLBYf+dvKraj5xhFECL+Ta+rlTPSnPltnvpHOwD/x7pMqcIuVlTqLuPQwCL73z9ijdq8&lf=CZ6X Content-Length: 0 Date: Mon, 12 Apr 2021 12:44:29 GMT Server: LiteSpeed Vary: User-Agent

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: PO.exe PID: 6856 Parent PID: 5872

General

Start time:	14:42:24
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x590000
File size:	542208 bytes
MD5 hash:	4BB710142C4FA183E24DBD3CE3C7B51D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.760068080.0000000003C10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.759556718.0000000003B47000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.759427914.0000000003AFC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: AddInProcess32.exe PID: 7140 Parent PID: 6856

General

Start time:	14:43:07
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0xff0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.792786425.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.793241716.0000000001550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.793449385.00000000018D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: explorer.exe PID: 3424 Parent PID: 7140

General

Start time:	14:43:13
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wlanext.exe PID: 6984 Parent PID: 3424

General

Start time:	14:43:29
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x2a0000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.909160222.0000000000330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.909733720.0000000002830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 4488 Parent PID: 6984

General

Start time:	14:43:34
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7080 Parent PID: 4488

General

Start time:	14:43:35
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers