Windows Analysis Report 583475.exe

Overview

General Information

Sample Name:	583475.exe
Analysis ID:	510246
MD5:	721356bfa1f8c23d40f6b2ff77b55db0
SHA1:	c4d25b17c64716f2e7558bd302cd901bd63757d8
SHA256:	e876c1db90717ff0819f4fc578adace61decdad64963836ebc9ae983dc87a5d6
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Sigma detected: CMSTP Execution Process Creation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.eeeptou.xyz/uat8/"], "decoy": ["suddennnnnnnnnnnn47.xyz", "fggj99.com", "ojosnegroshacienda.com", "tinyhollywood.com", "marketersmeetup.com", "anushreehomemadeproducts.online", "appsdeals14.com", "ocean-breath-retreat.com", "subin-party.com", "offroad.wiki", "coryfairbanks.com", "algurgpaint.net", "k1snks.com", "florakitchens.com", "tollywoodbold.com", "kzkidz.com", "bequestporfze.xyz", "tiplovellc.com", "city-ad.com", "strombolidefilm.com", "789trangchu.xyz", "transfer-news.pro", "wtv864.com", "seospiders.xyz", "bargaingreat.com", "clarysvillemotel.online", "fbiicrc.com", "pf-hi.com", "perverseonline.com", "hugevari.com", "dilekcaglar.online", "authorakkingsley.com", "cloudlessinc.com", "newjourneypro.com", "vacuumcoolingsouthamerica.com", "oursalesguide.com", "shopsoulandstone.com", "circularsmartcity.com", "segwayw.com", "tackle.tools", "tech-franchisee.com", "ff4c2m3vc.xyz", "nlug.net", "artofadhd.zone", "xfqmwk.xyz", "ossname.xyz", "copost.net", "kokosiborsel.quest", "abbastanza.info", "eyehealthtnpasumo4.xyz", "mashburnblog.com", "looped.agency", "atlasgsllc.com", "nimbleiter.com", "nzaz2.xyz", "varundeshpande.com", "foodbevtech.com", "cassandrajasmine.net", "taxunite.com", "hannahhirsh.com", "stonebay.pizza", "xh-kd.com", "tealdazzleshop.com", "wkpnmqfb.com"]}

Yara detected FormBook

Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: 583475.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.0.AddInProcess32.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.AddInProcess32.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.AddInProcess32.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: 583475.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49757 version: TLS 1.0

Source: 583475.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: cmstp.pdbGCTL source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
Source:	Binary string: AddInProcess32.pdb source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000007.00000002.830147581.00000000012F0000.00000040.00000001.sdmp, cmstp.exe, 00000011.00000002.921765476.0000000004F2F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cmstp.exe
Source:	Binary string: cmstp.pdb source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, 00000007.00000000.731556294.0000000000892000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_02ABFC70
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then jmp 067C8B79h	0_2_067C82F0
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_067CCF8C
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_067CDD68
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_067CDD68
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_067CD564
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then xor edx, edx	0_2_067CDCA0
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then xor edx, edx	0_2_067CDC96
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_067CDD5C
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_067CDD5C
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_067CDA48
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_067CDA48
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_067CDA3D
Source: C:\Users\user\Desktop\583475.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_067CDA3D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	7_2_0040C3FD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	17_2_02F9C3FD

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.appsdeals14.com
Source: C:\Windows\explorer.exe	Domain query: www.tinyhollywood.com
Source: C:\Windows\explorer.exe	Network Connect: 68.66.224.28 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Performs DNS queries to domains with low reputation

Source:

DNS query: www.eeeptou.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.eeeptou.xyz/uat8/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: A2HOSTINGUS A2HOSTINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD HTTP/1.1Host: www.tinyhollywood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD HTTP/1.1Host: www.appsdeals14.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49757 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 14:30:57 GMTContent-Type: text/htmlContent-Length: 275ETag: "61774856-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 14:31:02 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1E
Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/gE
Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobjE
Source: 583475.exe, 00000000.00000003.658913034.0000000006D81000.00000004.00000001.sdmp	String found in binary or memory: http://ns.d
Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD HTTP/1.1Host: www.tinyhollywood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD HTTP/1.1Host: www.appsdeals14.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: 583475.exe, m1DY/f0L8.cs	Large array initialization: .cctor: array initializer size 4946
Source: 583475.exe, Zp0/e6J.cs	Large array initialization: .cctor: array initializer size 2762

Uses 32bit PE files

Source: 583475.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe			Jump to behavior

Yara signature match

Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_02AB7288	0_2_02AB7288
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_02AB7720	0_2_02AB7720
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C1668	0_2_067C1668
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C35D8	0_2_067C35D8
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C82F0	0_2_067C82F0
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C4F28	0_2_067C4F28
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C6780	0_2_067C6780
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067CE520	0_2_067CE520
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067CE510	0_2_067CE510
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C2350	0_2_067C2350
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C60DB	0_2_067C60DB
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067CEAD0	0_2_067CEAD0
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067CEAC0	0_2_067CEAC0
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C8BA0	0_2_067C8BA0
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067C8B99	0_2_067C8B99
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041C912	7_2_0041C912
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041BBD8	7_2_0041BBD8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00408C70	7_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041BE0F	7_2_0041BE0F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00892050	7_2_00892050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01310D20	7_2_01310D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01334120	7_2_01334120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0131F900	7_2_0131F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E2D07	7_2_013E2D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E1D55	7_2_013E1D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01342581	7_2_01342581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0132D5E0	7_2_0132D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0132841F	7_2_0132841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013D1002	7_2_013D1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013420A0	7_2_013420A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E20A8	7_2_013E20A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0132B090	7_2_0132B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E2B28	7_2_013E2B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0134EBB0	7_2_0134EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E1FF1	7_2_013E1FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013DDBD2	7_2_013DDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01336E30	7_2_01336E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E22AE	7_2_013E22AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013E2EF7	7_2_013E2EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E4B090	17_2_04E4B090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04EF1002	17_2_04EF1002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E4841F	17_2_04E4841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E4D5E0	17_2_04E4D5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E62581	17_2_04E62581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04F01D55	17_2_04F01D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E30D20	17_2_04E30D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E54120	17_2_04E54120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E3F900	17_2_04E3F900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E56E30	17_2_04E56E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E6EBB0	17_2_04E6EBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAC912	17_2_02FAC912
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02F92FB0	17_2_02F92FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02F98C70	17_2_02F98C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02F92D90	17_2_02F92D90

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0131B150 appears 35 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04E3B150 appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004185D0 NtCreateFile,	7_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00418680 NtReadFile,	7_2_00418680
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00418700 NtClose,	7_2_00418700
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004187B0 NtAllocateVirtualMemory,	7_2_004187B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004185CA NtCreateFile,	7_2_004185CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041867A NtReadFile,	7_2_0041867A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004186FA NtReadFile,NtClose,	7_2_004186FA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_01359910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359540 NtReadFile,LdrInitializeThunk,	7_2_01359540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013599A0 NtCreateSection,LdrInitializeThunk,	7_2_013599A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013595D0 NtClose,LdrInitializeThunk,	7_2_013595D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01359860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359840 NtDelayExecution,LdrInitializeThunk,	7_2_01359840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013598F0 NtReadVirtualMemory,LdrInitializeThunk,	7_2_013598F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359710 NtQueryInformationToken,LdrInitializeThunk,	7_2_01359710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013597A0 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_013597A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359780 NtMapViewOfSection,LdrInitializeThunk,	7_2_01359780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359FE0 NtCreateMutant,LdrInitializeThunk,	7_2_01359FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359A20 NtResumeThread,LdrInitializeThunk,	7_2_01359A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359A00 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_01359A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_01359660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359A50 NtCreateFile,LdrInitializeThunk,	7_2_01359A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013596E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_013596E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0135AD30 NtSetContextThread,	7_2_0135AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359520 NtWaitForSingleObject,	7_2_01359520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359560 NtWriteFile,	7_2_01359560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359950 NtQueueApcThread,	7_2_01359950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013595F0 NtQueryInformationFile,	7_2_013595F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013599D0 NtCreateProcessEx,	7_2_013599D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359820 NtEnumerateKey,	7_2_01359820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0135B040 NtSuspendThread,	7_2_0135B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013598A0 NtWriteVirtualMemory,	7_2_013598A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359730 NtQueryVirtualMemory,	7_2_01359730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0135A710 NtOpenProcessToken,	7_2_0135A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359B00 NtSetValueKey,	7_2_01359B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359770 NtSetInformationFile,	7_2_01359770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0135A770 NtOpenThread,	7_2_0135A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359760 NtOpenProcess,	7_2_01359760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0135A3B0 NtGetContextThread,	7_2_0135A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359610 NtEnumerateValueKey,	7_2_01359610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359A10 NtQuerySection,	7_2_01359A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359670 NtQueryInformationProcess,	7_2_01359670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359650 NtQueryValueKey,	7_2_01359650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_01359A80 NtOpenDirectoryObject,	7_2_01359A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_013596D0 NtCreateKey,	7_2_013596D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04E79860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79840 NtDelayExecution,LdrInitializeThunk,	17_2_04E79840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E795D0 NtClose,LdrInitializeThunk,	17_2_04E795D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E799A0 NtCreateSection,LdrInitializeThunk,	17_2_04E799A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79540 NtReadFile,LdrInitializeThunk,	17_2_04E79540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04E79910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E796E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04E796E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E796D0 NtCreateKey,LdrInitializeThunk,	17_2_04E796D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04E79660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79A50 NtCreateFile,LdrInitializeThunk,	17_2_04E79A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79650 NtQueryValueKey,LdrInitializeThunk,	17_2_04E79650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79FE0 NtCreateMutant,LdrInitializeThunk,	17_2_04E79FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79780 NtMapViewOfSection,LdrInitializeThunk,	17_2_04E79780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79710 NtQueryInformationToken,LdrInitializeThunk,	17_2_04E79710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E798F0 NtReadVirtualMemory,	17_2_04E798F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E798A0 NtWriteVirtualMemory,	17_2_04E798A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E7B040 NtSuspendThread,	17_2_04E7B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79820 NtEnumerateKey,	17_2_04E79820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E795F0 NtQueryInformationFile,	17_2_04E795F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E799D0 NtCreateProcessEx,	17_2_04E799D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79560 NtWriteFile,	17_2_04E79560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79950 NtQueueApcThread,	17_2_04E79950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79520 NtWaitForSingleObject,	17_2_04E79520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E7AD30 NtSetContextThread,	17_2_04E7AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79A80 NtOpenDirectoryObject,	17_2_04E79A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79670 NtQueryInformationProcess,	17_2_04E79670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79A20 NtResumeThread,	17_2_04E79A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79A00 NtProtectVirtualMemory,	17_2_04E79A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79610 NtEnumerateValueKey,	17_2_04E79610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79A10 NtQuerySection,	17_2_04E79A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E797A0 NtUnmapViewOfSection,	17_2_04E797A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E7A3B0 NtGetContextThread,	17_2_04E7A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79760 NtOpenProcess,	17_2_04E79760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79770 NtSetInformationFile,	17_2_04E79770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E7A770 NtOpenThread,	17_2_04E7A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79730 NtQueryVirtualMemory,	17_2_04E79730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E79B00 NtSetValueKey,	17_2_04E79B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E7A710 NtOpenProcessToken,	17_2_04E7A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA8680 NtReadFile,	17_2_02FA8680
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA87B0 NtAllocateVirtualMemory,	17_2_02FA87B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA8700 NtClose,	17_2_02FA8700
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA85D0 NtCreateFile,	17_2_02FA85D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA86FA NtReadFile,NtClose,	17_2_02FA86FA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA867A NtReadFile,	17_2_02FA867A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA85CA NtCreateFile,	17_2_02FA85CA

Sample file is different than original file name gathered from version info

Source: 583475.exe, 00000000.00000002.741383689.0000000002CF3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs 583475.exe
Source: 583475.exe, 00000000.00000002.740499326.000000000094C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDemoProject2.exe: vs 583475.exe
Source: 583475.exe, 00000000.00000002.747381692.0000000006850000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs 583475.exe
Source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs 583475.exe
Source: 583475.exe	Binary or memory string: OriginalFilenameDemoProject2.exe: vs 583475.exe

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: 583475.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\583475.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\583475.exe 'C:\Users\user\Desktop\583475.exe'
Source: C:\Users\user\Desktop\583475.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\583475.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Users\user\Desktop\583475.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_00845EAE push ebx; retf	0_2_00845EAF
Source: C:\Users\user\Desktop\583475.exe	Code function: 0_2_067CEE70 push E8FFFFFFh; retf	0_2_067CEE75
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041B87C push eax; ret	7_2_0041B882
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041B812 push eax; ret	7_2_0041B818
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041B81B push eax; ret	7_2_0041B882
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00407A17 push cs; iretd	7_2_00407A1F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004152CE push edi; ret	7_2_00415355
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_004152FD push edi; ret	7_2_00415355
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00415CCC push esp; iretd	7_2_00415CCD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00414DAE push esi; iretd	7_2_00414DB2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_00414ED0 push ds; ret	7_2_00414ED1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0041B7C5 push eax; ret	7_2_0041B818
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 7_2_0136D0D1 push ecx; ret	7_2_0136D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_04E8D0D1 push ecx; ret	17_2_04E8D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA52FD push edi; ret	17_2_02FA5355
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA52CE push edi; ret	17_2_02FA5355
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02F97A17 push cs; iretd	17_2_02F97A1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FABBF4 push 00000009h; iretd	17_2_02FABBF6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAB87C push eax; ret	17_2_02FAB882
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAB81B push eax; ret	17_2_02FAB882
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAB812 push eax; ret	17_2_02FAB818
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA4ED0 push ds; ret	17_2_02FA4ED1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAC699 push eax; retf	17_2_02FAC69A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FAB7C5 push eax; ret	17_2_02FAB818
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA5CCC push esp; iretd	17_2_02FA5CCD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 17_2_02FA4DAE push esi; iretd	17_2_02FA4DB2

Source: 583475.exe, Fq2/r8Q.cs	High entropy of concatenated method names: '.ctor', 'a8H', 'i8R', 'Tp4', 's7W', 'Gi4', 'n6D', 'Zg2', 'Rd8', 'a7R'
Source: 583475.exe, Yt9/r5P.cs	High entropy of concatenated method names: '.ctor', 'x5F', 'f0T7', 'Nk53', 'i6R4', 's8LZ', 'Ro40', 'Lx8s', 'j2SA', 'Kn62'
Source: 583475.exe, Je1w/Ec5i.cs	High entropy of concatenated method names: '.ctor', 'Cc0d', 'a5TL', 'Jz3c', 'p8KW', 'Jq19', 'Nn28', 'Pg1b', 'g2MY', 'w7KA'
Source: 583475.exe, f4J/Cx3.cs	High entropy of concatenated method names: '.ctor', 'Yq7', 'Ep4', 't8H', 'Zw4', 'g3J', 'j5W', 'z1M', 'a7M', 'Et3'
Source: 583475.exe, m1DY/f0L8.cs	High entropy of concatenated method names: '.ctor', 'Ym5r', 'Wa9g', 'm3W5', 'Py7i', 'Ak85', 'Wc18', 'An10', 'a6TP', 'Mo97'
Source: 583475.exe, Qg54/Xy40.cs	High entropy of concatenated method names: '.ctor', 'f5RG', 'Nq3a', 'Ta51', 'c4Q1', 't5A2', 'Qx0n', 'm6J1', 'z2SN', 'd4P1'
Source: 583475.exe, f6L/i0X.cs	High entropy of concatenated method names: '.ctor', 'n9X', 's0G', 'Gm4', 'Rf7', 'Ws0', 'Dn2', 'Wr6', 'o9W', 'Nb6'
Source: 583475.exe, Lk6/Jg7.cs	High entropy of concatenated method names: '.ctor', 'Sq0', 'Fb1', 'Wa5', 'Nz6', 'i6E', 'Tr4', 'Kd6', 'c5J', 'Qe1'
Source: 583475.exe, Sq2/Hn1.cs	High entropy of concatenated method names: '.ctor', 'Cz5', 'Qd4', 'Mj2', 'Cq2', 'Gw5', 'Zb8', 'Ez7', 's8M', 'Lz7'
Source: 583475.exe, f1R0/p0M1.cs	High entropy of concatenated method names: '.ctor', 'Jx71', 'Ci1s', 'Dm7f', 's5FA', 'Bb5j', 'Jg47', 'Ly51', 'Cm95', 'Bs8f'

Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002F98604 second address: 0000000002F9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002F9898E second address: 0000000002F98994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\583475.exe TID: 6416	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe TID: 6416	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe TID: 4684	Thread sleep count: 502 > 30	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe TID: 4684	Thread sleep count: 9368 > 30	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\583475.exe	Window / User API: threadDelayed 502			Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Window / User API: threadDelayed 9368			Jump to behavior

Source: C:\Users\user\Desktop\583475.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: 583475.exe	Binary or memory string: IHGFSD
Source: explorer.exe, 00000009.00000000.783820666.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.780685564.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.783820666.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.761406468.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000009.00000000.751150955.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000009.00000000.766952588.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Source: C:\Users\user\Desktop\583475.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\583475.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: A7E008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3424	Jump to behavior

Source: explorer.exe, 00000009.00000000.742102073.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.751150955.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Users\user\Desktop\583475.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\583475.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
34.102.136.180	tinyhollywood.com	United States	15169	GOOGLEUS	false
68.66.224.28	appsdeals14.com	United States	55293	A2HOSTINGUS	true

Name	IP	Active
www.eeeptou.xyz	104.21.96.92	true
tinyhollywood.com	34.102.136.180	true
www.google.com	142.250.185.228	true
appsdeals14.com	68.66.224.28	true
www.appsdeals14.com	unknown	unknown
www.tinyhollywood.com	unknown	unknown

Windows Analysis Report 583475.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.eeeptou.xyz/uat8/	true	Avira URL Cloud: safe	low
http://www.tinyhollywood.com/uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD	false	Avira URL Cloud: safe	unknown
http://www.appsdeals14.com/uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD	true	Avira URL Cloud: safe	unknown
https://www.google.com/	false		high

ID:	510246
Product:	CloudBasic
Start time:	16:28:10
Start date:	27.10.2021
Sample:	583475.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	721356bfa1f8c23d40f6b2ff77b55db0
SHA1:	c4d25b17c64716f2e7558bd302cd901bd63757d8
SHA256:	e876c1db90717ff0819f4fc578adace61decdad64963836ebc9ae983dc87a5d6
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\583475.exe.log	ASCII text, with CRLF line terminators	1B32E71ED0326337C6593D13A55E54F4	0452CD9E26B6C35A3D186FD6DDB1B3365AFDB16C	047E61E1F57F4922CA346203710E828859BB61800D9A72C2E64092EBB218CCA8
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	F2A47587431C466535F3C3D3427724BE	90DF719241CE04828F0DD4D31D683F84790515FF	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B