Analysis Report lpdKSOB78u.exe

AV Detection:

Found malware configuration

Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%			Perma Link
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: lpdKSOB78u.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_00405A15
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,		0_2_004065C1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004027A1 FindFirstFileA,		0_2_004027A1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.torontotel.com/4qdc/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.91.197.27 208.91.197.27

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.pcareinc.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 09 Jul 2019 06:18:14 GMTEtag: "999-5d2431a6-2d9d76b743ab0996;;;"Accept-Ranges: bytesContent-Length: 2457Date: Tue, 23 Feb 2021 08:20:07 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2

Urls found in memory or binary data

Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/ns#
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/types#
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181B0 NtCreateFile,		1_2_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418260 NtReadFile,		1_2_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182E0 NtClose,		1_2_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418390 NtAllocateVirtualMemory,		1_2_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181AA NtCreateFile,		1_2_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041825A NtReadFile,		1_2_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182DA NtClose,		1_2_004182DA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_009D98F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,		1_2_009D9840
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_009D9860
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,		1_2_009D99A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_009D9910
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_009D9A00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,		1_2_009D9A20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,		1_2_009D9A50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk,		1_2_009D95D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,		1_2_009D9540
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_009D96E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_009D9660
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,		1_2_009D9780
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_009D97A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,		1_2_009D9FE0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,		1_2_009D9710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98A0 NtWriteVirtualMemory,		1_2_009D98A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9820 NtEnumerateKey,		1_2_009D9820
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DB040 NtSuspendThread,		1_2_009DB040
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99D0 NtCreateProcessEx,		1_2_009D99D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9950 NtQueueApcThread,		1_2_009D9950
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A80 NtOpenDirectoryObject,		1_2_009D9A80
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A10 NtQuerySection,		1_2_009D9A10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA3B0 NtGetContextThread,		1_2_009DA3B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9B00 NtSetValueKey,		1_2_009D9B00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95F0 NtQueryInformationFile,		1_2_009D95F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DAD30 NtSetContextThread,		1_2_009DAD30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9520 NtWaitForSingleObject,		1_2_009D9520
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9560 NtWriteFile,		1_2_009D9560
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96D0 NtCreateKey,		1_2_009D96D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9610 NtEnumerateValueKey,		1_2_009D9610
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9650 NtQueryValueKey,		1_2_009D9650
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9670 NtQueryInformationProcess,		1_2_009D9670
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA710 NtOpenProcessToken,		1_2_009DA710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9730 NtQueryVirtualMemory,		1_2_009D9730
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9770 NtSetInformationFile,		1_2_009D9770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA770 NtOpenThread,		1_2_009DA770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9760 NtOpenProcess,		1_2_009D9760
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181B0 NtCreateFile,		1_1_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418260 NtReadFile,		1_1_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182E0 NtClose,		1_1_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418390 NtAllocateVirtualMemory,		1_1_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181AA NtCreateFile,		1_1_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041825A NtReadFile,		1_1_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182DA NtClose,		1_1_004182DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,		9_2_04B09860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09840 NtDelayExecution,LdrInitializeThunk,		9_2_04B09840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099A0 NtCreateSection,LdrInitializeThunk,		9_2_04B099A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095D0 NtClose,LdrInitializeThunk,		9_2_04B095D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_04B09910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09540 NtReadFile,LdrInitializeThunk,		9_2_04B09540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_04B096E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096D0 NtCreateKey,LdrInitializeThunk,		9_2_04B096D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_04B09660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09650 NtQueryValueKey,LdrInitializeThunk,		9_2_04B09650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A50 NtCreateFile,LdrInitializeThunk,		9_2_04B09A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,		9_2_04B09780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,		9_2_04B09FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,		9_2_04B09710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098A0 NtWriteVirtualMemory,		9_2_04B098A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098F0 NtReadVirtualMemory,		9_2_04B098F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09820 NtEnumerateKey,		9_2_04B09820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0B040 NtSuspendThread,		9_2_04B0B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095F0 NtQueryInformationFile,		9_2_04B095F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099D0 NtCreateProcessEx,		9_2_04B099D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0AD30 NtSetContextThread,		9_2_04B0AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09520 NtWaitForSingleObject,		9_2_04B09520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09560 NtWriteFile,		9_2_04B09560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09950 NtQueueApcThread,		9_2_04B09950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A80 NtOpenDirectoryObject,		9_2_04B09A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A20 NtResumeThread,		9_2_04B09A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09610 NtEnumerateValueKey,		9_2_04B09610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A10 NtQuerySection,		9_2_04B09A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A00 NtProtectVirtualMemory,		9_2_04B09A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09670 NtQueryInformationProcess,		9_2_04B09670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A3B0 NtGetContextThread,		9_2_04B0A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B097A0 NtUnmapViewOfSection,		9_2_04B097A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09730 NtQueryVirtualMemory,		9_2_04B09730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A710 NtOpenProcessToken,		9_2_04B0A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09B00 NtSetValueKey,		9_2_04B09B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09770 NtSetInformationFile,		9_2_04B09770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A770 NtOpenThread,		9_2_04B0A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09760 NtOpenProcess,		9_2_04B09760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081B0 NtCreateFile,		9_2_00B081B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082E0 NtClose,		9_2_00B082E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08260 NtReadFile,		9_2_00B08260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08390 NtAllocateVirtualMemory,		9_2_00B08390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081AA NtCreateFile,		9_2_00B081AA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082DA NtClose,		9_2_00B082DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0825A NtReadFile,		9_2_00B0825A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Detected potential crypto function

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00407272		0_2_00407272
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00406A9B		0_2_00406A9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70481A98		0_2_70481A98
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C50		1_2_00408C50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C0A		1_2_00408C0A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041BC2E		1_2_0041BC2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B544		1_2_0041B544
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D87		1_2_00402D87
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041C722		1_2_0041C722
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402FB0		1_2_00402FB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB090		1_2_009AB090
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51002		1_2_00A51002
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099F900		1_2_0099F900
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CEBB0		1_2_009CEBB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00990D20		1_2_00990D20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A61D55		1_2_00A61D55
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B6E30		1_2_009B6E30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00401030		1_1_00401030
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB090		9_2_04ADB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD841F		9_2_04AD841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81002		9_2_04B81002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0		9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC0D20		9_2_04AC0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACF900		9_2_04ACF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B91D55		9_2_04B91D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE6E30		9_2_04AE6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFEBB0		9_2_04AFEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0BC2A		9_2_00B0BC2A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C0A		9_2_00AF8C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C50		9_2_00AF8C50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D87		9_2_00AF2D87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D90		9_2_00AF2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2FB0		9_2_00AF2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0C722		9_2_00B0C722

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll 41B9F5241987338FAA262090BEAB1ADF4A9821497011BBE87D3A770F2C926666

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04ACB150 appears 32 times
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: String function: 0041A090 appears 40 times

Sample file is different than original file name gathered from version info

Source: lpdKSOB78u.exe, 00000000.00000003.204440401.0000000002D0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000000.00000002.211643992.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.265933060.0000000000969000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe

Uses 32bit PE files

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@14/8

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Contains functionality to enum processes or threads

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_703C4243 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_703C4243

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File created: C:\Users\user\AppData\Local\Temp\nsx545.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: lpdKSOB78u.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Sample reads its own file content

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\user\Desktop\lpdKSOB78u.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70481A98

PE file contains sections with non-standard names

Source: h1luljvls0ea.dll.0.dr

Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70482F60 push eax; ret		0_2_70482F8E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416147 push esi; iretd		1_2_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416125 push ds; retf		1_2_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004153DC push es; retf		1_2_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3F2 push eax; ret		1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3FB push eax; ret		1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00415B8C push ebp; ret		1_2_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3A5 push eax; ret		1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B45C push eax; ret		1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414E12 push ebx; ret		1_2_00414E14
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414FCB pushfd ; iretd		1_2_00414FCC
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009ED0D1 push ecx; ret		1_2_009ED0E4
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416147 push esi; iretd		1_1_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416125 push ds; retf		1_1_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004153DC push es; retf		1_1_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3F2 push eax; ret		1_1_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3FB push eax; ret		1_1_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00415B8C push ebp; ret		1_1_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3A5 push eax; ret		1_1_0041B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B1D0D1 push ecx; ret		9_2_04B1D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06125 push ds; retf		9_2_00B0612B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06147 push esi; iretd		9_2_00B0614A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3A5 push eax; ret		9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B05B8C push ebp; ret		9_2_00B05BD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3F2 push eax; ret		9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3FB push eax; ret		9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B053DC push es; retf		9_2_00B053E5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B45C push eax; ret		9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04E12 push ebx; ret		9_2_00B04E14
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04FCB pushfd ; iretd		9_2_00B04FCC

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .data entropy: 7.74690382322

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AF85E4 second address: 0000000000AF85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AF896E second address: 0000000000AF8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 4832	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 6468	Thread sleep time: -44000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_00405A15
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,		0_2_004065C1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004027A1 FindFirstFileA,		0_2_004027A1

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.233719341.0000000008907000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.231945952.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000002.483847310.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.232704653.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.232804005.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.225509168.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: lpdKSOB78u.exe, 00000000.00000002.211513573.0000000000808000.00000004.00000020.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	Binary or memory string: qeMusic
Source: explorer.exe, 00000004.00000000.230868572.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_004088A0 rdtsc

1_2_004088A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 1_2_00409B10 LdrLoadDll,

1_2_00409B10

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70481A98

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_703C47AD mov eax, dword ptr fs:[00000030h]		0_2_703C47AD
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_703C45AA mov eax, dword ptr fs:[00000030h]		0_2_703C45AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]		1_2_00999080
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]		1_2_00A13884
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]		1_2_00A13884
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]		1_2_009D90AF
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]		1_2_00A64015
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]		1_2_00A64015
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]		1_2_009B0050
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]		1_2_009B0050
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]		1_2_00A61074
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]		1_2_00A52073
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]		1_2_009CA185
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]		1_2_009BC182
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]		1_2_009C513A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]		1_2_009C513A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]		1_2_009BB944
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]		1_2_009BB944
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]		1_2_0099B171
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]		1_2_0099B171
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]		1_2_009CD294
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]		1_2_009CD294
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]		1_2_009CFAB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]		1_2_00A4B260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]		1_2_00A4B260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]		1_2_00A68A62
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]		1_2_009D927A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]		1_2_00A65BA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]		1_2_009A1B8F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]		1_2_009A1B8F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]		1_2_00A4D380
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]		1_2_00A5138A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]		1_2_00A5131B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]		1_2_0099F358
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]		1_2_0099DB40
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]		1_2_009C3B7A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]		1_2_009C3B7A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]		1_2_0099DB60
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]		1_2_00A68B58
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]		1_2_00A514FB
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]		1_2_00A68CD6
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]		1_2_009CBC2C
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]		1_2_00A2C450
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]		1_2_00A2C450
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]		1_2_009B746D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]		1_2_009CFD9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]		1_2_009CFD9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]		1_2_009C35A1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]		1_2_00A48DF1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]		1_2_00A68D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]		1_2_0099AD30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]		1_2_009B7D50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]		1_2_009D3D43
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]		1_2_00A13540
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]		1_2_009BC577
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]		1_2_009BC577
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]		1_2_00A146A7
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]		1_2_00A2FE87
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]		1_2_009C36CC
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]		1_2_00A4FEC0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]		1_2_00A68ED6
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]		1_2_009A76E2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]		1_2_009C16E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]		1_2_00A4FE3F
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]		1_2_0099E620
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]		1_2_009A766D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]		1_2_00A6070D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]		1_2_00A6070D
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]		1_2_009CE730
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A2FF10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A2FF10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]		1_2_00994F2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]		1_2_00994F2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A68F6A mov eax, dword ptr fs:[00000030h]		1_2_00A68F6A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AEF40 mov eax, dword ptr fs:[00000030h]		1_2_009AEF40
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AFF60 mov eax, dword ptr fs:[00000030h]		1_2_009AFF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov ecx, dword ptr fs:[00000030h]		9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov eax, dword ptr fs:[00000030h]		9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFF0BF mov eax, dword ptr fs:[00000030h]		9_2_04AFF0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B090AF mov eax, dword ptr fs:[00000030h]		9_2_04B090AF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9080 mov eax, dword ptr fs:[00000030h]		9_2_04AC9080
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43884 mov eax, dword ptr fs:[00000030h]		9_2_04B43884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43884 mov eax, dword ptr fs:[00000030h]		9_2_04B43884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD849B mov eax, dword ptr fs:[00000030h]		9_2_04AD849B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B814FB mov eax, dword ptr fs:[00000030h]		9_2_04B814FB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46CF0 mov eax, dword ptr fs:[00000030h]		9_2_04B46CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]		9_2_04B5B8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98CD6 mov eax, dword ptr fs:[00000030h]		9_2_04B98CD6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]		9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]		9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]		9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]		9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF002D mov eax, dword ptr fs:[00000030h]		9_2_04AF002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFBC2C mov eax, dword ptr fs:[00000030h]		9_2_04AFBC2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]		9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]		9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]		9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB02A mov eax, dword ptr fs:[00000030h]		9_2_04ADB02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]		9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]		9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47016 mov eax, dword ptr fs:[00000030h]		9_2_04B47016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B94015 mov eax, dword ptr fs:[00000030h]		9_2_04B94015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B94015 mov eax, dword ptr fs:[00000030h]		9_2_04B94015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]		9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]		9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9740D mov eax, dword ptr fs:[00000030h]		9_2_04B9740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81C06 mov eax, dword ptr fs:[00000030h]		9_2_04B81C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]		9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]		9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]		9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B46C0A mov eax, dword ptr fs:[00000030h]		9_2_04B46C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE746D mov eax, dword ptr fs:[00000030h]		9_2_04AE746D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B82073 mov eax, dword ptr fs:[00000030h]		9_2_04B82073
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B91074 mov eax, dword ptr fs:[00000030h]		9_2_04B91074
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA44B mov eax, dword ptr fs:[00000030h]		9_2_04AFA44B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5C450 mov eax, dword ptr fs:[00000030h]		9_2_04B5C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5C450 mov eax, dword ptr fs:[00000030h]		9_2_04B5C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE0050 mov eax, dword ptr fs:[00000030h]		9_2_04AE0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE0050 mov eax, dword ptr fs:[00000030h]		9_2_04AE0050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]		9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]		9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]		9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B451BE mov eax, dword ptr fs:[00000030h]		9_2_04B451BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF35A1 mov eax, dword ptr fs:[00000030h]		9_2_04AF35A1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF61A0 mov eax, dword ptr fs:[00000030h]		9_2_04AF61A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF61A0 mov eax, dword ptr fs:[00000030h]		9_2_04AF61A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B469A6 mov eax, dword ptr fs:[00000030h]		9_2_04B469A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]		9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]		9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]		9_2_04AF1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC2D8A mov eax, dword ptr fs:[00000030h]		9_2_04AC2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA185 mov eax, dword ptr fs:[00000030h]		9_2_04AFA185
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC182 mov eax, dword ptr fs:[00000030h]		9_2_04AEC182
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFD9B mov eax, dword ptr fs:[00000030h]		9_2_04AFFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFD9B mov eax, dword ptr fs:[00000030h]		9_2_04AFFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2990 mov eax, dword ptr fs:[00000030h]		9_2_04AF2990
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B78DF1 mov eax, dword ptr fs:[00000030h]		9_2_04B78DF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]		9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]		9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]		9_2_04ACB1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]		9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]		9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B541E8 mov eax, dword ptr fs:[00000030h]		9_2_04B541E8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B4A537 mov eax, dword ptr fs:[00000030h]		9_2_04B4A537
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98D34 mov eax, dword ptr fs:[00000030h]		9_2_04B98D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov eax, dword ptr fs:[00000030h]		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120 mov ecx, dword ptr fs:[00000030h]		9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]		9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]		9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF4D3B mov eax, dword ptr fs:[00000030h]		9_2_04AF4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF513A mov eax, dword ptr fs:[00000030h]		9_2_04AF513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF513A mov eax, dword ptr fs:[00000030h]		9_2_04AF513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD3D34 mov eax, dword ptr fs:[00000030h]		9_2_04AD3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAD30 mov eax, dword ptr fs:[00000030h]		9_2_04ACAD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]		9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]		9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9100 mov eax, dword ptr fs:[00000030h]		9_2_04AC9100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC962 mov eax, dword ptr fs:[00000030h]		9_2_04ACC962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC577 mov eax, dword ptr fs:[00000030h]		9_2_04AEC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEC577 mov eax, dword ptr fs:[00000030h]		9_2_04AEC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB171 mov eax, dword ptr fs:[00000030h]		9_2_04ACB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACB171 mov eax, dword ptr fs:[00000030h]		9_2_04ACB171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEB944 mov eax, dword ptr fs:[00000030h]		9_2_04AEB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEB944 mov eax, dword ptr fs:[00000030h]		9_2_04AEB944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B03D43 mov eax, dword ptr fs:[00000030h]		9_2_04B03D43
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B43540 mov eax, dword ptr fs:[00000030h]		9_2_04B43540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE7D50 mov eax, dword ptr fs:[00000030h]		9_2_04AE7D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]		9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]		9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]		9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]		9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC52A5 mov eax, dword ptr fs:[00000030h]		9_2_04AC52A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B446A7 mov eax, dword ptr fs:[00000030h]		9_2_04B446A7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]		9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]		9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B90EA5 mov eax, dword ptr fs:[00000030h]		9_2_04B90EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]		9_2_04ADAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]		9_2_04ADAAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFFAB0 mov eax, dword ptr fs:[00000030h]		9_2_04AFFAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FE87 mov eax, dword ptr fs:[00000030h]		9_2_04B5FE87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFD294 mov eax, dword ptr fs:[00000030h]		9_2_04AFD294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFD294 mov eax, dword ptr fs:[00000030h]		9_2_04AFD294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2AE4 mov eax, dword ptr fs:[00000030h]		9_2_04AF2AE4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF16E0 mov ecx, dword ptr fs:[00000030h]		9_2_04AF16E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD76E2 mov eax, dword ptr fs:[00000030h]		9_2_04AD76E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF36CC mov eax, dword ptr fs:[00000030h]		9_2_04AF36CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF2ACB mov eax, dword ptr fs:[00000030h]		9_2_04AF2ACB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98ED6 mov eax, dword ptr fs:[00000030h]		9_2_04B98ED6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7FEC0 mov eax, dword ptr fs:[00000030h]		9_2_04B7FEC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B08EC7 mov eax, dword ptr fs:[00000030h]		9_2_04B08EC7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7FE3F mov eax, dword ptr fs:[00000030h]		9_2_04B7FE3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACE620 mov eax, dword ptr fs:[00000030h]		9_2_04ACE620
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD8A0A mov eax, dword ptr fs:[00000030h]		9_2_04AD8A0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]		9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]		9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACC600 mov eax, dword ptr fs:[00000030h]		9_2_04ACC600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF8E00 mov eax, dword ptr fs:[00000030h]		9_2_04AF8E00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE3A1C mov eax, dword ptr fs:[00000030h]		9_2_04AE3A1C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA61C mov eax, dword ptr fs:[00000030h]		9_2_04AFA61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA61C mov eax, dword ptr fs:[00000030h]		9_2_04AFA61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAA16 mov eax, dword ptr fs:[00000030h]		9_2_04ACAA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACAA16 mov eax, dword ptr fs:[00000030h]		9_2_04ACAA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD766D mov eax, dword ptr fs:[00000030h]		9_2_04AD766D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0927A mov eax, dword ptr fs:[00000030h]		9_2_04B0927A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7B260 mov eax, dword ptr fs:[00000030h]		9_2_04B7B260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7B260 mov eax, dword ptr fs:[00000030h]		9_2_04B7B260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98A62 mov eax, dword ptr fs:[00000030h]		9_2_04B98A62
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]		9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]		9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]		9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]		9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEAE73 mov eax, dword ptr fs:[00000030h]		9_2_04AEAE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B54257 mov eax, dword ptr fs:[00000030h]		9_2_04B54257
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]		9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]		9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]		9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC9240 mov eax, dword ptr fs:[00000030h]		9_2_04AC9240
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD7E41 mov eax, dword ptr fs:[00000030h]		9_2_04AD7E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B95BA5 mov eax, dword ptr fs:[00000030h]		9_2_04B95BA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]		9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]		9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B47794 mov eax, dword ptr fs:[00000030h]		9_2_04B47794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD1B8F mov eax, dword ptr fs:[00000030h]		9_2_04AD1B8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD1B8F mov eax, dword ptr fs:[00000030h]		9_2_04AD1B8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B8138A mov eax, dword ptr fs:[00000030h]		9_2_04B8138A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B7D380 mov ecx, dword ptr fs:[00000030h]		9_2_04B7D380
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD8794 mov eax, dword ptr fs:[00000030h]		9_2_04AD8794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFB390 mov eax, dword ptr fs:[00000030h]		9_2_04AFB390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B037F5 mov eax, dword ptr fs:[00000030h]		9_2_04B037F5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF03E2 mov eax, dword ptr fs:[00000030h]		9_2_04AF03E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B453CA mov eax, dword ptr fs:[00000030h]		9_2_04B453CA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B453CA mov eax, dword ptr fs:[00000030h]		9_2_04B453CA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC4F2E mov eax, dword ptr fs:[00000030h]		9_2_04AC4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC4F2E mov eax, dword ptr fs:[00000030h]		9_2_04AC4F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFE730 mov eax, dword ptr fs:[00000030h]		9_2_04AFE730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA70E mov eax, dword ptr fs:[00000030h]		9_2_04AFA70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFA70E mov eax, dword ptr fs:[00000030h]		9_2_04AFA70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B8131B mov eax, dword ptr fs:[00000030h]		9_2_04B8131B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FF10 mov eax, dword ptr fs:[00000030h]		9_2_04B5FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B5FF10 mov eax, dword ptr fs:[00000030h]		9_2_04B5FF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9070D mov eax, dword ptr fs:[00000030h]		9_2_04B9070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B9070D mov eax, dword ptr fs:[00000030h]		9_2_04B9070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AEF716 mov eax, dword ptr fs:[00000030h]		9_2_04AEF716
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACDB60 mov ecx, dword ptr fs:[00000030h]		9_2_04ACDB60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADFF60 mov eax, dword ptr fs:[00000030h]		9_2_04ADFF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98F6A mov eax, dword ptr fs:[00000030h]		9_2_04B98F6A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF3B7A mov eax, dword ptr fs:[00000030h]		9_2_04AF3B7A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AF3B7A mov eax, dword ptr fs:[00000030h]		9_2_04AF3B7A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B98B58 mov eax, dword ptr fs:[00000030h]		9_2_04B98B58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACDB40 mov eax, dword ptr fs:[00000030h]		9_2_04ACDB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADEF40 mov eax, dword ptr fs:[00000030h]		9_2_04ADEF40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACF358 mov eax, dword ptr fs:[00000030h]		9_2_04ACF358

Enables debug privileges

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.253.73.122 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.213.108.250 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.224.206.45 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.223.115.185 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.239 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 92.249.45.191 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Users\user\Desktop\lpdKSOB78u.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 1330000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000000.214145154.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.229364456.0000000006860000.00000004.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.214937637.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.473091261.0000000003350000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE