Analysis Report SecuriteInfo.com.Trojan.Packed2.43183.29557.7257

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Packed2.43183.29557.7257 (renamed file extension from 7257 to exe)
Analysis ID: 432683
MD5: 4e9095ceadd56bc68a99947ab929f691
SHA1: bce676ea49fb6709dc0e9a23df2e918e05b4074b
SHA256: 1fe427cfa805bbabdc371ae3f6ccea4088ca76e8b9fce9828a74885d72339020
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Virustotal: Detection: 33% Perma Link
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.0.AddInProcess32.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.AddInProcess32.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.roamallday.com/sadn/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.59.53.244 13.59.53.244
Source: global traffic HTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.granthamrobotics.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 14:59:57 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1P
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gP
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobjP
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652216791.0000000006A7E000.00000004.00000001.sdmp String found in binary or memory: http://ns.d
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731660422.0000000002780000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000C.00000000.736993153.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, j2DC/Rb6y.cs Large array initialization: .cctor: array initializer size 3852
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.cs Large array initialization: .cctor: array initializer size 3852
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.cs Large array initialization: .cctor: array initializer size 3852
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004181B0 NtCreateFile, 11_2_004181B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00418260 NtReadFile, 11_2_00418260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004182E0 NtClose, 11_2_004182E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00418390 NtAllocateVirtualMemory, 11_2_00418390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004181AA NtCreateFile, 11_2_004181AA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041825A NtReadFile, 11_2_0041825A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004182E2 NtClose, 11_2_004182E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_017F9910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F99A0 NtCreateSection,LdrInitializeThunk, 11_2_017F99A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_017F9860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9840 NtDelayExecution,LdrInitializeThunk, 11_2_017F9840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F98F0 NtReadVirtualMemory,LdrInitializeThunk, 11_2_017F98F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9A50 NtCreateFile,LdrInitializeThunk, 11_2_017F9A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9A20 NtResumeThread,LdrInitializeThunk, 11_2_017F9A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 11_2_017F9A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9540 NtReadFile,LdrInitializeThunk, 11_2_017F9540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F95D0 NtClose,LdrInitializeThunk, 11_2_017F95D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9710 NtQueryInformationToken,LdrInitializeThunk, 11_2_017F9710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9FE0 NtCreateMutant,LdrInitializeThunk, 11_2_017F9FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 11_2_017F97A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9780 NtMapViewOfSection,LdrInitializeThunk, 11_2_017F9780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_017F9660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_017F96E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9950 NtQueueApcThread, 11_2_017F9950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F99D0 NtCreateProcessEx, 11_2_017F99D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017FB040 NtSuspendThread, 11_2_017FB040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9820 NtEnumerateKey, 11_2_017F9820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F98A0 NtWriteVirtualMemory, 11_2_017F98A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9B00 NtSetValueKey, 11_2_017F9B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017FA3B0 NtGetContextThread, 11_2_017FA3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9A10 NtQuerySection, 11_2_017F9A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9A80 NtOpenDirectoryObject, 11_2_017F9A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9560 NtWriteFile, 11_2_017F9560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017FAD30 NtSetContextThread, 11_2_017FAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9520 NtWaitForSingleObject, 11_2_017F9520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F95F0 NtQueryInformationFile, 11_2_017F95F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017FA770 NtOpenThread, 11_2_017FA770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9770 NtSetInformationFile, 11_2_017F9770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9760 NtOpenProcess, 11_2_017F9760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9730 NtQueryVirtualMemory, 11_2_017F9730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017FA710 NtOpenProcessToken, 11_2_017FA710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9670 NtQueryInformationProcess, 11_2_017F9670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9650 NtQueryValueKey, 11_2_017F9650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F9610 NtEnumerateValueKey, 11_2_017F9610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F96D0 NtCreateKey, 11_2_017F96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9540 NtReadFile,LdrInitializeThunk, 17_2_045B9540
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B95D0 NtClose,LdrInitializeThunk, 17_2_045B95D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9650 NtQueryValueKey,LdrInitializeThunk, 17_2_045B9650
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_045B9660
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B96D0 NtCreateKey,LdrInitializeThunk, 17_2_045B96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_045B96E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9710 NtQueryInformationToken,LdrInitializeThunk, 17_2_045B9710
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9FE0 NtCreateMutant,LdrInitializeThunk, 17_2_045B9FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9780 NtMapViewOfSection,LdrInitializeThunk, 17_2_045B9780
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9840 NtDelayExecution,LdrInitializeThunk, 17_2_045B9840
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_045B9860
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_045B9910
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B99A0 NtCreateSection,LdrInitializeThunk, 17_2_045B99A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9A50 NtCreateFile,LdrInitializeThunk, 17_2_045B9A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9560 NtWriteFile, 17_2_045B9560
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045BAD30 NtSetContextThread, 17_2_045BAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9520 NtWaitForSingleObject, 17_2_045B9520
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B95F0 NtQueryInformationFile, 17_2_045B95F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9670 NtQueryInformationProcess, 17_2_045B9670
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9610 NtEnumerateValueKey, 17_2_045B9610
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045BA770 NtOpenThread, 17_2_045BA770
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9770 NtSetInformationFile, 17_2_045B9770
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9760 NtOpenProcess, 17_2_045B9760
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045BA710 NtOpenProcessToken, 17_2_045BA710
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9730 NtQueryVirtualMemory, 17_2_045B9730
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B97A0 NtUnmapViewOfSection, 17_2_045B97A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045BB040 NtSuspendThread, 17_2_045BB040
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9820 NtEnumerateKey, 17_2_045B9820
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B98F0 NtReadVirtualMemory, 17_2_045B98F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B98A0 NtWriteVirtualMemory, 17_2_045B98A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9950 NtQueueApcThread, 17_2_045B9950
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B99D0 NtCreateProcessEx, 17_2_045B99D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9A10 NtQuerySection, 17_2_045B9A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9A00 NtProtectVirtualMemory, 17_2_045B9A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9A20 NtResumeThread, 17_2_045B9A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9A80 NtOpenDirectoryObject, 17_2_045B9A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B9B00 NtSetValueKey, 17_2_045B9B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045BA3B0 NtGetContextThread, 17_2_045BA3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD82E0 NtClose, 17_2_02CD82E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD8260 NtReadFile, 17_2_02CD8260
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD8390 NtAllocateVirtualMemory, 17_2_02CD8390
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD81B0 NtCreateFile, 17_2_02CD81B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD82E2 NtClose, 17_2_02CD82E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD825A NtReadFile, 17_2_02CD825A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD81AA NtCreateFile, 17_2_02CD81AA
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_0662237C CreateProcessAsUserW, 1_2_0662237C
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_06621B18 1_2_06621B18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_06620040 1_2_06620040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_066148A2 1_2_066148A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_066163AB 1_2_066163AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_027280C0 1_2_027280C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_0272C5C0 1_2_0272C5C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_0272EE90 1_2_0272EE90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_0272BB98 1_2_0272BB98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_0272BDF0 1_2_0272BDF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041C06D 11_2_0041C06D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00401030 11_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041C284 11_2_0041C284
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041CB0D 11_2_0041CB0D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041CB10 11_2_0041CB10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00408C50 11_2_00408C50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041B573 11_2_0041B573
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00402D90 11_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041C781 11_2_0041C781
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00402FB0 11_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00CD2050 11_2_00CD2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BF900 11_2_017BF900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018820A8 11_2_018820A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA830 11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018828EC 11_2_018828EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871002 11_2_01871002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188E824 11_2_0188E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CB090 11_2_017CB090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAB40 11_2_017DAB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187DBD2 11_2_0187DBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018703DA 11_2_018703DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01882B28 11_2_01882B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EEBB0 11_2_017EEBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018822AE 11_2_018822AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186FA2B 11_2_0186FA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018825DD 11_2_018825DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B0D20 11_2_017B0D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01882D07 11_2_01882D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CD5E0 11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01881D55 11_2_01881D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2581 11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C841F 11_2_017C841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187D466 11_2_0187D466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188DFCE 11_2_0188DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01881FF1 11_2_01881FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D6E30 11_2_017D6E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01882EF7 11_2_01882EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187D616 11_2_0187D616
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463D466 17_2_0463D466
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458841F 17_2_0458841F
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04641D55 17_2_04641D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04642D07 17_2_04642D07
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04570D20 17_2_04570D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458D5E0 17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046425DD 17_2_046425DD
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2581 17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04596E30 17_2_04596E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463D616 17_2_0463D616
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04642EF7 17_2_04642EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04641FF1 17_2_04641FF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464DFCE 17_2_0464DFCE
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464E824 17_2_0464E824
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631002 17_2_04631002
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459A830 17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046428EC 17_2_046428EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458B090 17_2_0458B090
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046420A8 17_2_046420A8
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457F900 17_2_0457F900
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045999BF 17_2_045999BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0462FA2B 17_2_0462FA2B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046422AE 17_2_046422AE
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AB40 17_2_0459AB40
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04642B28 17_2_04642B28
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463DBD2 17_2_0463DBD2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046303DA 17_2_046303DA
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AEBB0 17_2_045AEBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDCB0D 17_2_02CDCB0D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDCB10 17_2_02CDCB10
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDC781 17_2_02CDC781
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CC2FB0 17_2_02CC2FB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CC8C50 17_2_02CC8C50
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CC2D90 17_2_02CC2D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDB573 17_2_02CDB573
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 017BB150 appears 54 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 0457B150 appears 69 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731064405.00000000003A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731731070.0000000002801000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.737040753.0000000003758000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAddInProcess32.exeT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740459563.00000000062B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Binary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@3/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Virustotal: Detection: 33%
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A3F39 pushfd ; ret 1_2_003A3F49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A3D29 push esp; ret 1_2_003A3D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A2320 push 450963C2h; retf 1_2_003A2352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A3111 push 0000001Bh; iretd 1_2_003A3116
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A230E push 450963C2h; retf 1_2_003A2352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A22B4 push ecx; retf 1_2_003A22B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_003A3AD7 push esi; iretd 1_2_003A3AD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_06610A2A push ds; ret 1_2_06610A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_06614F63 push es; iretd 1_2_06615094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Code function: 1_2_066105E6 pushfd ; iretd 1_2_06610613
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041B3F2 push eax; ret 11_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041B3FB push eax; ret 11_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041B3A5 push eax; ret 11_2_0041B3F8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041B45C push eax; ret 11_2_0041B462
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0041C4CB push es; iretd 11_2_0041C4CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00415E0D push ecx; iretd 11_2_00415E1D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0180D0D1 push ecx; ret 11_2_0180D0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045CD0D1 push ecx; ret 17_2_045CD0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDB3FB push eax; ret 17_2_02CDB462
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDB3F2 push eax; ret 17_2_02CDB3F8
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDB3A5 push eax; ret 17_2_02CDB3F8
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CC000A push edx; ret 17_2_02CC000B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CD5E0D push ecx; iretd 17_2_02CD5E1D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDC4CB push es; iretd 17_2_02CDC4CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_02CDB45C push eax; ret 17_2_02CDB462
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Fs7/k3S.cs High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Lk46/Tn40.cs High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.cs High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.cs High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.cs High entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.cs High entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe File opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000002CC85E4 second address: 0000000002CC85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000002CC896E second address: 0000000002CC8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004088A0 rdtsc 11_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Window / User API: threadDelayed 1457 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Window / User API: threadDelayed 8364 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 7088 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 6188 Thread sleep count: 1457 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 6188 Thread sleep count: 8364 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe TID: 7088 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Thread delayed: delay time: 30000 Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000C.00000000.753250873.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.749612554.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.753250873.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Binary or memory string: Dk/mhgfsdcb
Source: explorer.exe, 0000000C.00000000.753725854.000000000A897000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 0000000C.00000000.745317933.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000C.00000000.753363013.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000C.00000000.745317933.0000000004710000.00000004.00000001.sdmp Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
Source: explorer.exe, 0000000C.00000000.753421998.000000000A782000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000000.748521488.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000C.00000000.753849271.000000000A9A2000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_004088A0 rdtsc 11_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_00409B10 LdrLoadDll, 11_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BB171 mov eax, dword ptr fs:[00000030h] 11_2_017BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BB171 mov eax, dword ptr fs:[00000030h] 11_2_017BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BC962 mov eax, dword ptr fs:[00000030h] 11_2_017BC962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h] 11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h] 11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h] 11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018749A4 mov eax, dword ptr fs:[00000030h] 11_2_018749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018369A6 mov eax, dword ptr fs:[00000030h] 11_2_018369A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DB944 mov eax, dword ptr fs:[00000030h] 11_2_017DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DB944 mov eax, dword ptr fs:[00000030h] 11_2_017DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h] 11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h] 11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h] 11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018351BE mov eax, dword ptr fs:[00000030h] 11_2_018351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E513A mov eax, dword ptr fs:[00000030h] 11_2_017E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E513A mov eax, dword ptr fs:[00000030h] 11_2_017E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h] 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h] 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h] 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 mov eax, dword ptr fs:[00000030h] 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D4120 mov ecx, dword ptr fs:[00000030h] 11_2_017D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018441E8 mov eax, dword ptr fs:[00000030h] 11_2_018441E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h] 11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h] 11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9100 mov eax, dword ptr fs:[00000030h] 11_2_017B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h] 11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h] 11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BB1E1 mov eax, dword ptr fs:[00000030h] 11_2_017BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E61A0 mov eax, dword ptr fs:[00000030h] 11_2_017E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E61A0 mov eax, dword ptr fs:[00000030h] 11_2_017E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2990 mov eax, dword ptr fs:[00000030h] 11_2_017E2990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA185 mov eax, dword ptr fs:[00000030h] 11_2_017EA185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DC182 mov eax, dword ptr fs:[00000030h] 11_2_017DC182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01833884 mov eax, dword ptr fs:[00000030h] 11_2_01833884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01833884 mov eax, dword ptr fs:[00000030h] 11_2_01833884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D0050 mov eax, dword ptr fs:[00000030h] 11_2_017D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D0050 mov eax, dword ptr fs:[00000030h] 11_2_017D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h] 11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h] 11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h] 11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA830 mov eax, dword ptr fs:[00000030h] 11_2_017DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h] 11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h] 11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h] 11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h] 11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E002D mov eax, dword ptr fs:[00000030h] 11_2_017E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov ecx, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184B8D0 mov eax, dword ptr fs:[00000030h] 11_2_0184B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h] 11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h] 11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h] 11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CB02A mov eax, dword ptr fs:[00000030h] 11_2_017CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h] 11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h] 11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837016 mov eax, dword ptr fs:[00000030h] 11_2_01837016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B58EC mov eax, dword ptr fs:[00000030h] 11_2_017B58EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h] 11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h] 11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B40E1 mov eax, dword ptr fs:[00000030h] 11_2_017B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01884015 mov eax, dword ptr fs:[00000030h] 11_2_01884015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01884015 mov eax, dword ptr fs:[00000030h] 11_2_01884015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EF0BF mov ecx, dword ptr fs:[00000030h] 11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EF0BF mov eax, dword ptr fs:[00000030h] 11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EF0BF mov eax, dword ptr fs:[00000030h] 11_2_017EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F90AF mov eax, dword ptr fs:[00000030h] 11_2_017F90AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E20A0 mov eax, dword ptr fs:[00000030h] 11_2_017E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01872073 mov eax, dword ptr fs:[00000030h] 11_2_01872073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9080 mov eax, dword ptr fs:[00000030h] 11_2_017B9080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01881074 mov eax, dword ptr fs:[00000030h] 11_2_01881074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E3B7A mov eax, dword ptr fs:[00000030h] 11_2_017E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E3B7A mov eax, dword ptr fs:[00000030h] 11_2_017E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186D380 mov ecx, dword ptr fs:[00000030h] 11_2_0186D380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187138A mov eax, dword ptr fs:[00000030h] 11_2_0187138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BDB60 mov ecx, dword ptr fs:[00000030h] 11_2_017BDB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BF358 mov eax, dword ptr fs:[00000030h] 11_2_017BF358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01885BA5 mov eax, dword ptr fs:[00000030h] 11_2_01885BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BDB40 mov eax, dword ptr fs:[00000030h] 11_2_017BDB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018353CA mov eax, dword ptr fs:[00000030h] 11_2_018353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018353CA mov eax, dword ptr fs:[00000030h] 11_2_018353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DDBE9 mov eax, dword ptr fs:[00000030h] 11_2_017DDBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187131B mov eax, dword ptr fs:[00000030h] 11_2_0187131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E03E2 mov eax, dword ptr fs:[00000030h] 11_2_017E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888B58 mov eax, dword ptr fs:[00000030h] 11_2_01888B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h] 11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h] 11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4BAD mov eax, dword ptr fs:[00000030h] 11_2_017E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2397 mov eax, dword ptr fs:[00000030h] 11_2_017E2397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EB390 mov eax, dword ptr fs:[00000030h] 11_2_017EB390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C1B8F mov eax, dword ptr fs:[00000030h] 11_2_017C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C1B8F mov eax, dword ptr fs:[00000030h] 11_2_017C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F927A mov eax, dword ptr fs:[00000030h] 11_2_017F927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h] 11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h] 11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h] 11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B9240 mov eax, dword ptr fs:[00000030h] 11_2_017B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F4A2C mov eax, dword ptr fs:[00000030h] 11_2_017F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F4A2C mov eax, dword ptr fs:[00000030h] 11_2_017F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DA229 mov eax, dword ptr fs:[00000030h] 11_2_017DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D3A1C mov eax, dword ptr fs:[00000030h] 11_2_017D3A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h] 11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B5210 mov ecx, dword ptr fs:[00000030h] 11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h] 11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B5210 mov eax, dword ptr fs:[00000030h] 11_2_017B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BAA16 mov eax, dword ptr fs:[00000030h] 11_2_017BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BAA16 mov eax, dword ptr fs:[00000030h] 11_2_017BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C8A0A mov eax, dword ptr fs:[00000030h] 11_2_017C8A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187AA16 mov eax, dword ptr fs:[00000030h] 11_2_0187AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187AA16 mov eax, dword ptr fs:[00000030h] 11_2_0187AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2AE4 mov eax, dword ptr fs:[00000030h] 11_2_017E2AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2ACB mov eax, dword ptr fs:[00000030h] 11_2_017E2ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CAAB0 mov eax, dword ptr fs:[00000030h] 11_2_017CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CAAB0 mov eax, dword ptr fs:[00000030h] 11_2_017CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EFAB0 mov eax, dword ptr fs:[00000030h] 11_2_017EFAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187EA55 mov eax, dword ptr fs:[00000030h] 11_2_0187EA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01844257 mov eax, dword ptr fs:[00000030h] 11_2_01844257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h] 11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h] 11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h] 11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h] 11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B52A5 mov eax, dword ptr fs:[00000030h] 11_2_017B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186B260 mov eax, dword ptr fs:[00000030h] 11_2_0186B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186B260 mov eax, dword ptr fs:[00000030h] 11_2_0186B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017ED294 mov eax, dword ptr fs:[00000030h] 11_2_017ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017ED294 mov eax, dword ptr fs:[00000030h] 11_2_017ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888A62 mov eax, dword ptr fs:[00000030h] 11_2_01888A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DC577 mov eax, dword ptr fs:[00000030h] 11_2_017DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DC577 mov eax, dword ptr fs:[00000030h] 11_2_017DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018805AC mov eax, dword ptr fs:[00000030h] 11_2_018805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018805AC mov eax, dword ptr fs:[00000030h] 11_2_018805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D7D50 mov eax, dword ptr fs:[00000030h] 11_2_017D7D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F3D43 mov eax, dword ptr fs:[00000030h] 11_2_017F3D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h] 11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h] 11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E4D3B mov eax, dword ptr fs:[00000030h] 11_2_017E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C3D34 mov eax, dword ptr fs:[00000030h] 11_2_017C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov ecx, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836DC9 mov eax, dword ptr fs:[00000030h] 11_2_01836DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BAD30 mov eax, dword ptr fs:[00000030h] 11_2_017BAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h] 11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h] 11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h] 11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187FDE2 mov eax, dword ptr fs:[00000030h] 11_2_0187FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01868DF1 mov eax, dword ptr fs:[00000030h] 11_2_01868DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CD5E0 mov eax, dword ptr fs:[00000030h] 11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CD5E0 mov eax, dword ptr fs:[00000030h] 11_2_017CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0183A537 mov eax, dword ptr fs:[00000030h] 11_2_0183A537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888D34 mov eax, dword ptr fs:[00000030h] 11_2_01888D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187E539 mov eax, dword ptr fs:[00000030h] 11_2_0187E539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01833540 mov eax, dword ptr fs:[00000030h] 11_2_01833540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01863D40 mov eax, dword ptr fs:[00000030h] 11_2_01863D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h] 11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h] 11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E1DB5 mov eax, dword ptr fs:[00000030h] 11_2_017E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E35A1 mov eax, dword ptr fs:[00000030h] 11_2_017E35A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EFD9B mov eax, dword ptr fs:[00000030h] 11_2_017EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EFD9B mov eax, dword ptr fs:[00000030h] 11_2_017EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h] 11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h] 11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h] 11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h] 11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B2D8A mov eax, dword ptr fs:[00000030h] 11_2_017B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h] 11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h] 11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h] 11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E2581 mov eax, dword ptr fs:[00000030h] 11_2_017E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017D746D mov eax, dword ptr fs:[00000030h] 11_2_017D746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA44B mov eax, dword ptr fs:[00000030h] 11_2_017EA44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EBC2C mov eax, dword ptr fs:[00000030h] 11_2_017EBC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888CD6 mov eax, dword ptr fs:[00000030h] 11_2_01888CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h] 11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h] 11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836CF0 mov eax, dword ptr fs:[00000030h] 11_2_01836CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018714FB mov eax, dword ptr fs:[00000030h] 11_2_018714FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871C06 mov eax, dword ptr fs:[00000030h] 11_2_01871C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h] 11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h] 11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188740D mov eax, dword ptr fs:[00000030h] 11_2_0188740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h] 11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h] 11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h] 11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01836C0A mov eax, dword ptr fs:[00000030h] 11_2_01836C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184C450 mov eax, dword ptr fs:[00000030h] 11_2_0184C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184C450 mov eax, dword ptr fs:[00000030h] 11_2_0184C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C849B mov eax, dword ptr fs:[00000030h] 11_2_017C849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h] 11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h] 11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01837794 mov eax, dword ptr fs:[00000030h] 11_2_01837794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CFF60 mov eax, dword ptr fs:[00000030h] 11_2_017CFF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017CEF40 mov eax, dword ptr fs:[00000030h] 11_2_017CEF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EE730 mov eax, dword ptr fs:[00000030h] 11_2_017EE730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B4F2E mov eax, dword ptr fs:[00000030h] 11_2_017B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017B4F2E mov eax, dword ptr fs:[00000030h] 11_2_017B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DF716 mov eax, dword ptr fs:[00000030h] 11_2_017DF716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA70E mov eax, dword ptr fs:[00000030h] 11_2_017EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA70E mov eax, dword ptr fs:[00000030h] 11_2_017EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188070D mov eax, dword ptr fs:[00000030h] 11_2_0188070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0188070D mov eax, dword ptr fs:[00000030h] 11_2_0188070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F37F5 mov eax, dword ptr fs:[00000030h] 11_2_017F37F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184FF10 mov eax, dword ptr fs:[00000030h] 11_2_0184FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184FF10 mov eax, dword ptr fs:[00000030h] 11_2_0184FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888F6A mov eax, dword ptr fs:[00000030h] 11_2_01888F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C8794 mov eax, dword ptr fs:[00000030h] 11_2_017C8794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0184FE87 mov eax, dword ptr fs:[00000030h] 11_2_0184FE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h] 11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h] 11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h] 11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h] 11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017DAE73 mov eax, dword ptr fs:[00000030h] 11_2_017DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C766D mov eax, dword ptr fs:[00000030h] 11_2_017C766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_018346A7 mov eax, dword ptr fs:[00000030h] 11_2_018346A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h] 11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h] 11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01880EA5 mov eax, dword ptr fs:[00000030h] 11_2_01880EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C7E41 mov eax, dword ptr fs:[00000030h] 11_2_017C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186FEC0 mov eax, dword ptr fs:[00000030h] 11_2_0186FEC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BE620 mov eax, dword ptr fs:[00000030h] 11_2_017BE620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01888ED6 mov eax, dword ptr fs:[00000030h] 11_2_01888ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA61C mov eax, dword ptr fs:[00000030h] 11_2_017EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017EA61C mov eax, dword ptr fs:[00000030h] 11_2_017EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h] 11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h] 11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017BC600 mov eax, dword ptr fs:[00000030h] 11_2_017BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E8E00 mov eax, dword ptr fs:[00000030h] 11_2_017E8E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_01871608 mov eax, dword ptr fs:[00000030h] 11_2_01871608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E16E0 mov ecx, dword ptr fs:[00000030h] 11_2_017E16E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017C76E2 mov eax, dword ptr fs:[00000030h] 11_2_017C76E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017E36CC mov eax, dword ptr fs:[00000030h] 11_2_017E36CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_017F8EC7 mov eax, dword ptr fs:[00000030h] 11_2_017F8EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0186FE3F mov eax, dword ptr fs:[00000030h] 11_2_0186FE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187AE44 mov eax, dword ptr fs:[00000030h] 11_2_0187AE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 11_2_0187AE44 mov eax, dword ptr fs:[00000030h] 11_2_0187AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA44B mov eax, dword ptr fs:[00000030h] 17_2_045AA44B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460C450 mov eax, dword ptr fs:[00000030h] 17_2_0460C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460C450 mov eax, dword ptr fs:[00000030h] 17_2_0460C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459746D mov eax, dword ptr fs:[00000030h] 17_2_0459746D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h] 17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h] 17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h] 17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6C0A mov eax, dword ptr fs:[00000030h] 17_2_045F6C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631C06 mov eax, dword ptr fs:[00000030h] 17_2_04631C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h] 17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h] 17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464740D mov eax, dword ptr fs:[00000030h] 17_2_0464740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045ABC2C mov eax, dword ptr fs:[00000030h] 17_2_045ABC2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046314FB mov eax, dword ptr fs:[00000030h] 17_2_046314FB
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 17_2_045F6CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04648CD6 mov eax, dword ptr fs:[00000030h] 17_2_04648CD6
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458849B mov eax, dword ptr fs:[00000030h] 17_2_0458849B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04597D50 mov eax, dword ptr fs:[00000030h] 17_2_04597D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B3D43 mov eax, dword ptr fs:[00000030h] 17_2_045B3D43
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F3540 mov eax, dword ptr fs:[00000030h] 17_2_045F3540
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04623D40 mov eax, dword ptr fs:[00000030h] 17_2_04623D40
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459C577 mov eax, dword ptr fs:[00000030h] 17_2_0459C577
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459C577 mov eax, dword ptr fs:[00000030h] 17_2_0459C577
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04648D34 mov eax, dword ptr fs:[00000030h] 17_2_04648D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463E539 mov eax, dword ptr fs:[00000030h] 17_2_0463E539
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h] 17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h] 17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A4D3B mov eax, dword ptr fs:[00000030h] 17_2_045A4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457AD30 mov eax, dword ptr fs:[00000030h] 17_2_0457AD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045FA537 mov eax, dword ptr fs:[00000030h] 17_2_045FA537
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04583D34 mov eax, dword ptr fs:[00000030h] 17_2_04583D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0463FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04628DF1 mov eax, dword ptr fs:[00000030h] 17_2_04628DF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov ecx, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 17_2_045F6DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0458D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AFD9B mov eax, dword ptr fs:[00000030h] 17_2_045AFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AFD9B mov eax, dword ptr fs:[00000030h] 17_2_045AFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046405AC mov eax, dword ptr fs:[00000030h] 17_2_046405AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046405AC mov eax, dword ptr fs:[00000030h] 17_2_046405AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h] 17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h] 17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h] 17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2581 mov eax, dword ptr fs:[00000030h] 17_2_045A2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h] 17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h] 17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h] 17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h] 17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04572D8A mov eax, dword ptr fs:[00000030h] 17_2_04572D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 17_2_045A1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A35A1 mov eax, dword ptr fs:[00000030h] 17_2_045A35A1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04587E41 mov eax, dword ptr fs:[00000030h] 17_2_04587E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463AE44 mov eax, dword ptr fs:[00000030h] 17_2_0463AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0463AE44 mov eax, dword ptr fs:[00000030h] 17_2_0463AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h] 17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h] 17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h] 17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h] 17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459AE73 mov eax, dword ptr fs:[00000030h] 17_2_0459AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458766D mov eax, dword ptr fs:[00000030h] 17_2_0458766D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA61C mov eax, dword ptr fs:[00000030h] 17_2_045AA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA61C mov eax, dword ptr fs:[00000030h] 17_2_045AA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h] 17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h] 17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457C600 mov eax, dword ptr fs:[00000030h] 17_2_0457C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A8E00 mov eax, dword ptr fs:[00000030h] 17_2_045A8E00
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0462FE3F mov eax, dword ptr fs:[00000030h] 17_2_0462FE3F
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04631608 mov eax, dword ptr fs:[00000030h] 17_2_04631608
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457E620 mov eax, dword ptr fs:[00000030h] 17_2_0457E620
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A36CC mov eax, dword ptr fs:[00000030h] 17_2_045A36CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B8EC7 mov eax, dword ptr fs:[00000030h] 17_2_045B8EC7
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0462FEC0 mov eax, dword ptr fs:[00000030h] 17_2_0462FEC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04648ED6 mov eax, dword ptr fs:[00000030h] 17_2_04648ED6
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A16E0 mov ecx, dword ptr fs:[00000030h] 17_2_045A16E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045876E2 mov eax, dword ptr fs:[00000030h] 17_2_045876E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h] 17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h] 17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04640EA5 mov eax, dword ptr fs:[00000030h] 17_2_04640EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460FE87 mov eax, dword ptr fs:[00000030h] 17_2_0460FE87
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F46A7 mov eax, dword ptr fs:[00000030h] 17_2_045F46A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04648F6A mov eax, dword ptr fs:[00000030h] 17_2_04648F6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458EF40 mov eax, dword ptr fs:[00000030h] 17_2_0458EF40
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458FF60 mov eax, dword ptr fs:[00000030h] 17_2_0458FF60
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459F716 mov eax, dword ptr fs:[00000030h] 17_2_0459F716
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA70E mov eax, dword ptr fs:[00000030h] 17_2_045AA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA70E mov eax, dword ptr fs:[00000030h] 17_2_045AA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464070D mov eax, dword ptr fs:[00000030h] 17_2_0464070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0464070D mov eax, dword ptr fs:[00000030h] 17_2_0464070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AE730 mov eax, dword ptr fs:[00000030h] 17_2_045AE730
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460FF10 mov eax, dword ptr fs:[00000030h] 17_2_0460FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460FF10 mov eax, dword ptr fs:[00000030h] 17_2_0460FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04574F2E mov eax, dword ptr fs:[00000030h] 17_2_04574F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04574F2E mov eax, dword ptr fs:[00000030h] 17_2_04574F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B37F5 mov eax, dword ptr fs:[00000030h] 17_2_045B37F5
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h] 17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h] 17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7794 mov eax, dword ptr fs:[00000030h] 17_2_045F7794
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04588794 mov eax, dword ptr fs:[00000030h] 17_2_04588794
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04590050 mov eax, dword ptr fs:[00000030h] 17_2_04590050
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04590050 mov eax, dword ptr fs:[00000030h] 17_2_04590050
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04632073 mov eax, dword ptr fs:[00000030h] 17_2_04632073
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04641074 mov eax, dword ptr fs:[00000030h] 17_2_04641074
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h] 17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h] 17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F7016 mov eax, dword ptr fs:[00000030h] 17_2_045F7016
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h] 17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h] 17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h] 17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459A830 mov eax, dword ptr fs:[00000030h] 17_2_0459A830
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04644015 mov eax, dword ptr fs:[00000030h] 17_2_04644015
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04644015 mov eax, dword ptr fs:[00000030h] 17_2_04644015
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h] 17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h] 17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h] 17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0458B02A mov eax, dword ptr fs:[00000030h] 17_2_0458B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h] 17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h] 17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h] 17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h] 17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A002D mov eax, dword ptr fs:[00000030h] 17_2_045A002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov ecx, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0460B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h] 17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h] 17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045740E1 mov eax, dword ptr fs:[00000030h] 17_2_045740E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045758EC mov eax, dword ptr fs:[00000030h] 17_2_045758EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459B8E4 mov eax, dword ptr fs:[00000030h] 17_2_0459B8E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459B8E4 mov eax, dword ptr fs:[00000030h] 17_2_0459B8E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04579080 mov eax, dword ptr fs:[00000030h] 17_2_04579080
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F3884 mov eax, dword ptr fs:[00000030h] 17_2_045F3884
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045F3884 mov eax, dword ptr fs:[00000030h] 17_2_045F3884
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AF0BF mov ecx, dword ptr fs:[00000030h] 17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AF0BF mov eax, dword ptr fs:[00000030h] 17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AF0BF mov eax, dword ptr fs:[00000030h] 17_2_045AF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045B90AF mov eax, dword ptr fs:[00000030h] 17_2_045B90AF
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A20A0 mov eax, dword ptr fs:[00000030h] 17_2_045A20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459B944 mov eax, dword ptr fs:[00000030h] 17_2_0459B944
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459B944 mov eax, dword ptr fs:[00000030h] 17_2_0459B944
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457B171 mov eax, dword ptr fs:[00000030h] 17_2_0457B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457B171 mov eax, dword ptr fs:[00000030h] 17_2_0457B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457C962 mov eax, dword ptr fs:[00000030h] 17_2_0457C962
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h] 17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h] 17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04579100 mov eax, dword ptr fs:[00000030h] 17_2_04579100
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A513A mov eax, dword ptr fs:[00000030h] 17_2_045A513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A513A mov eax, dword ptr fs:[00000030h] 17_2_045A513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h] 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h] 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h] 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 mov eax, dword ptr fs:[00000030h] 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_04594120 mov ecx, dword ptr fs:[00000030h] 17_2_04594120
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046041E8 mov eax, dword ptr fs:[00000030h] 17_2_046041E8
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0457B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h] 17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h] 17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h] 17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_046349A4 mov eax, dword ptr fs:[00000030h] 17_2_046349A4
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045A2990 mov eax, dword ptr fs:[00000030h] 17_2_045A2990
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_0459C182 mov eax, dword ptr fs:[00000030h] 17_2_0459C182
Source: C:\Windows\SysWOW64\systray.exe Code function: 17_2_045AA185 mov eax, dword ptr fs:[00000030h] 17_2_045AA185
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 13.59.53.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.granthamrobotics.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mclpay.com
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 1C0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: FFD008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: explorer.exe, 0000000C.00000000.735084373.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.735601535.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.753363013.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432683 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 33 www.stealthshop.net 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 SecuriteInfo.com.Trojan.Packed2.43183.29557.exe 15 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 SecuriteInfo.com.T...43183.29557.exe.log, ASCII 11->31 dropped 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->61 63 Injects a PE file into a foreign processes 11->63 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.mclpay.com 18->35 37 www.granthamrobotics.com 18->37 39 2 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 systray.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.59.53.244
 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false
34.102.136.180
 granthamrobotics.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 13.59.53.244 true
granthamrobotics.com 34.102.136.180 true
www.stealthshop.net 74.220.199.6 true
www.mclpay.com unknown unknown
www.granthamrobotics.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.granthamrobotics.com/sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP false
  • Avira URL Cloud: safe
 unknown
www.roamallday.com/sadn/ true
  • Avira URL Cloud: safe
 low
http://www.mclpay.com/sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp true
  • Avira URL Cloud: safe
 unknown