Analysis Report Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Overview

General Information

Sample Name: Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Analysis ID: 432567
MD5: b148ae414eb8a1b34a15cdb32c21f9ee
SHA1: 25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256: 193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}
Multi AV Scanner detection for submitted file
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Virustotal: Detection: 29% Perma Link
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.raserver.exe.51c7960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.raserver.exe.30cde50.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.650872254.0000000009990000.00000004.00000001.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp, raserver.exe, 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, raserver.exe
Source: Binary string: RAServer.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdbGCTL source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 4x nop then pop esi 2_2_0041583E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 4x nop then pop ebx 2_2_00406A96
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop esi 7_2_00AC583E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop ebx 7_2_00AB6A96

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rebeccannemontgomery.net/dp3a/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.hireinone.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
Source: Joe Sandbox View ASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.theyogirunner.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 12:36:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 70 33 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dp3a/ was not found on this server.</p></body></html>
Source: raserver.exe, 00000007.00000002.915003619.0000000005342000.00000004.00000001.sdmp String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.659286527.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405042

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Executable has a suspicious name (potential lure to open the executable)
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004181C0 NtCreateFile, 2_2_004181C0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00418270 NtReadFile, 2_2_00418270
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004182F0 NtClose, 2_2_004182F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004183A0 NtAllocateVirtualMemory, 2_2_004183A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004181BC NtCreateFile, 2_2_004181BC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004182EB NtClose, 2_2_004182EB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041839B NtAllocateVirtualMemory, 2_2_0041839B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B298F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00B298F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00B29860
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29840 NtDelayExecution,LdrInitializeThunk, 2_2_00B29840
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B299A0 NtCreateSection,LdrInitializeThunk, 2_2_00B299A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00B29910
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29A20 NtResumeThread,LdrInitializeThunk, 2_2_00B29A20
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00B29A00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29A50 NtCreateFile,LdrInitializeThunk, 2_2_00B29A50
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B295D0 NtClose,LdrInitializeThunk, 2_2_00B295D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29540 NtReadFile,LdrInitializeThunk, 2_2_00B29540
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B296E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00B296E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00B29660
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B297A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00B297A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00B29780
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00B29FE0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00B29710
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B298A0 NtWriteVirtualMemory, 2_2_00B298A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29820 NtEnumerateKey, 2_2_00B29820
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2B040 NtSuspendThread, 2_2_00B2B040
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B299D0 NtCreateProcessEx, 2_2_00B299D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29950 NtQueueApcThread, 2_2_00B29950
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29A80 NtOpenDirectoryObject, 2_2_00B29A80
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29A10 NtQuerySection, 2_2_00B29A10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2A3B0 NtGetContextThread, 2_2_00B2A3B0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29B00 NtSetValueKey, 2_2_00B29B00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B295F0 NtQueryInformationFile, 2_2_00B295F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2AD30 NtSetContextThread, 2_2_00B2AD30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29520 NtWaitForSingleObject, 2_2_00B29520
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29560 NtWriteFile, 2_2_00B29560
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B296D0 NtCreateKey, 2_2_00B296D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29610 NtEnumerateValueKey, 2_2_00B29610
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29670 NtQueryInformationProcess, 2_2_00B29670
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29650 NtQueryValueKey, 2_2_00B29650
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29730 NtQueryVirtualMemory, 2_2_00B29730
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2A710 NtOpenProcessToken, 2_2_00B2A710
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29770 NtSetInformationFile, 2_2_00B29770
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2A770 NtOpenThread, 2_2_00B2A770
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B29760 NtOpenProcess, 2_2_00B29760
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_1_004181C0 NtCreateFile, 2_1_004181C0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_1_00418270 NtReadFile, 2_1_00418270
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_1_004182F0 NtClose, 2_1_004182F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_1_004183A0 NtAllocateVirtualMemory, 2_1_004183A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF95D0 NtClose,LdrInitializeThunk, 7_2_04CF95D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9540 NtReadFile,LdrInitializeThunk, 7_2_04CF9540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF96D0 NtCreateKey,LdrInitializeThunk, 7_2_04CF96D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_04CF96E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9650 NtQueryValueKey,LdrInitializeThunk, 7_2_04CF9650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_04CF9660
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9FE0 NtCreateMutant,LdrInitializeThunk, 7_2_04CF9FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9780 NtMapViewOfSection,LdrInitializeThunk, 7_2_04CF9780
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9710 NtQueryInformationToken,LdrInitializeThunk, 7_2_04CF9710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9840 NtDelayExecution,LdrInitializeThunk, 7_2_04CF9840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_04CF9860
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF99A0 NtCreateSection,LdrInitializeThunk, 7_2_04CF99A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_04CF9910
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9A50 NtCreateFile,LdrInitializeThunk, 7_2_04CF9A50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF95F0 NtQueryInformationFile, 7_2_04CF95F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9560 NtWriteFile, 7_2_04CF9560
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9520 NtWaitForSingleObject, 7_2_04CF9520
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CFAD30 NtSetContextThread, 7_2_04CFAD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9670 NtQueryInformationProcess, 7_2_04CF9670
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9610 NtEnumerateValueKey, 7_2_04CF9610
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF97A0 NtUnmapViewOfSection, 7_2_04CF97A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9760 NtOpenProcess, 7_2_04CF9760
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CFA770 NtOpenThread, 7_2_04CFA770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9770 NtSetInformationFile, 7_2_04CF9770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CFA710 NtOpenProcessToken, 7_2_04CFA710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9730 NtQueryVirtualMemory, 7_2_04CF9730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF98F0 NtReadVirtualMemory, 7_2_04CF98F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF98A0 NtWriteVirtualMemory, 7_2_04CF98A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CFB040 NtSuspendThread, 7_2_04CFB040
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9820 NtEnumerateKey, 7_2_04CF9820
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF99D0 NtCreateProcessEx, 7_2_04CF99D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9950 NtQueueApcThread, 7_2_04CF9950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9A80 NtOpenDirectoryObject, 7_2_04CF9A80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9A00 NtProtectVirtualMemory, 7_2_04CF9A00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9A10 NtQuerySection, 7_2_04CF9A10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9A20 NtResumeThread, 7_2_04CF9A20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CFA3B0 NtGetContextThread, 7_2_04CFA3B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF9B00 NtSetValueKey, 7_2_04CF9B00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC81C0 NtCreateFile, 7_2_00AC81C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC82F0 NtClose, 7_2_00AC82F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC8270 NtReadFile, 7_2_00AC8270
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC83A0 NtAllocateVirtualMemory, 7_2_00AC83A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC81BC NtCreateFile, 7_2_00AC81BC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC82EB NtClose, 7_2_00AC82EB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC839B NtAllocateVirtualMemory, 7_2_00AC839B
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Detected potential crypto function
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_6F731A98 0_2_6F731A98
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041D042 2_2_0041D042
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041CB69 2_2_0041CB69
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00408C5B 2_2_00408C5B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041CF4E 2_2_0041CF4E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB20A8 2_2_00BB20A8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFB090 2_2_00AFB090
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB28EC 2_2_00BB28EC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A830 2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BBE824 2_2_00BBE824
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1002 2_2_00BA1002
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEF900 2_2_00AEF900
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB22AE 2_2_00BB22AE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9FA2B 2_2_00B9FA2B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1EBB0 2_2_00B1EBB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B923E3 2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA03DA 2_2_00BA03DA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BADBD2 2_2_00BADBD2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1ABD8 2_2_00B1ABD8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB2B28 2_2_00BB2B28
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AB40 2_2_00B0AB40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B8CB4F 2_2_00B8CB4F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF841F 2_2_00AF841F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAD466 2_2_00BAD466
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12581 2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFD5E0 2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB25DD 2_2_00BB25DD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE0D20 2_2_00AE0D20
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB2D07 2_2_00BB2D07
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB1D55 2_2_00BB1D55
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB2EF7 2_2_00BB2EF7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B06E30 2_2_00B06E30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAD616 2_2_00BAD616
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB1FF1 2_2_00BB1FF1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BBDFCE 2_2_00BBDFCE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_1_0041D042 2_1_0041D042
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7D466 7_2_04D7D466
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC841F 7_2_04CC841F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D825DD 7_2_04D825DD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CCD5E0 7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE2581 7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D81D55 7_2_04D81D55
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D82D07 7_2_04D82D07
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB0D20 7_2_04CB0D20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D82EF7 7_2_04D82EF7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7D616 7_2_04D7D616
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CD6E30 7_2_04CD6E30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D8DFCE 7_2_04D8DFCE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D81FF1 7_2_04D81FF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D828EC 7_2_04D828EC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CCB090 7_2_04CCB090
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE20A0 7_2_04CE20A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D820A8 7_2_04D820A8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71002 7_2_04D71002
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D8E824 7_2_04D8E824
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CDA830 7_2_04CDA830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CD99BF 7_2_04CD99BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CBF900 7_2_04CBF900
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CD4120 7_2_04CD4120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74AEF 7_2_04D74AEF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D822AE 7_2_04D822AE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D6FA2B 7_2_04D6FA2B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7DBD2 7_2_04D7DBD2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D703DA 7_2_04D703DA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEABD8 7_2_04CEABD8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D623E3 7_2_04D623E3
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEEBB0 7_2_04CEEBB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CDAB40 7_2_04CDAB40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CDA309 7_2_04CDA309
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D82B28 7_2_04D82B28
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACD042 7_2_00ACD042
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACCB69 7_2_00ACCB69
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB8C60 7_2_00AB8C60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB8C5B 7_2_00AB8C5B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB2D87 7_2_00AB2D87
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB2D90 7_2_00AB2D90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB2FB0 7_2_00AB2FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACCF4E 7_2_00ACCF4E
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 04CBB150 appears 133 times
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: String function: 00AEB150 appears 136 times
Sample file is different than original file name gathered from version info
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.647610440.0000000009C3F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704494044.0000000000959000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameraserver.exej% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Uses 32bit PE files
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@11/8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe File created: C:\Users\user\AppData\Local\Temp\nsv24C7.tmp Jump to behavior
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe Virustotal: Detection: 29%
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe File read: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.650872254.0000000009990000.00000004.00000001.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp, raserver.exe, 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, raserver.exe
Source: Binary string: RAServer.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdbGCTL source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Unpacked PE file: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_6F732F60 push eax; ret 0_2_6F732F8E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00416026 push ebx; iretd 2_2_00416027
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041C087 push dword ptr [DF0C81F8h]; ret 2_2_0041C1C4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00409A94 push 00D6BDC6h; iretd 2_2_00409A99
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041B46C push eax; ret 2_2_0041B472
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041B402 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_0041B40B push eax; ret 2_2_0041B472
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B3D0D1 push ecx; ret 2_2_00B3D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D0D0D1 push ecx; ret 7_2_04D0D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACC087 push dword ptr [DF0C81F8h]; ret 7_2_00ACC1C4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AC6026 push ebx; iretd 7_2_00AC6027
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00AB9A94 push 00D6BDC6h; iretd 7_2_00AB9A99
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACB3B5 push eax; ret 7_2_00ACB408
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACB40B push eax; ret 7_2_00ACB472
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACB402 push eax; ret 7_2_00ACB408
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_00ACB46C push eax; ret 7_2_00ACB472

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe File created: C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 0000000000AB85E4 second address: 0000000000AB85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 0000000000AB897E second address: 0000000000AB8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004088B0 rdtsc 2_2_004088B0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\raserver.exe API coverage: 7.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5752 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 7124 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.673631126.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.670610896.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.673631126.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692663618.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.673760254.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.673812206.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_004088B0 rdtsc 2_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00409B20 LdrLoadDll, 2_2_00409B20
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1F0BF mov ecx, dword ptr fs:[00000030h] 2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1F0BF mov eax, dword ptr fs:[00000030h] 2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1F0BF mov eax, dword ptr fs:[00000030h] 2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h] 2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B290AF mov eax, dword ptr fs:[00000030h] 2_2_00B290AF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9080 mov eax, dword ptr fs:[00000030h] 2_2_00AE9080
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B63884 mov eax, dword ptr fs:[00000030h] 2_2_00B63884
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B63884 mov eax, dword ptr fs:[00000030h] 2_2_00B63884
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE58EC mov eax, dword ptr fs:[00000030h] 2_2_00AE58EC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B8E4 mov eax, dword ptr fs:[00000030h] 2_2_00B0B8E4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B8E4 mov eax, dword ptr fs:[00000030h] 2_2_00B0B8E4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h] 2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h] 2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h] 2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h] 2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h] 2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h] 2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h] 2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h] 2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h] 2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h] 2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h] 2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h] 2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h] 2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h] 2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h] 2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h] 2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB4015 mov eax, dword ptr fs:[00000030h] 2_2_00BB4015
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB4015 mov eax, dword ptr fs:[00000030h] 2_2_00BB4015
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2073 mov eax, dword ptr fs:[00000030h] 2_2_00BA2073
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB1074 mov eax, dword ptr fs:[00000030h] 2_2_00BB1074
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B00050 mov eax, dword ptr fs:[00000030h] 2_2_00B00050
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B00050 mov eax, dword ptr fs:[00000030h] 2_2_00B00050
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h] 2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h] 2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h] 2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h] 2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h] 2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B669A6 mov eax, dword ptr fs:[00000030h] 2_2_00B669A6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B161A0 mov eax, dword ptr fs:[00000030h] 2_2_00B161A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B161A0 mov eax, dword ptr fs:[00000030h] 2_2_00B161A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12990 mov eax, dword ptr fs:[00000030h] 2_2_00B12990
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0C182 mov eax, dword ptr fs:[00000030h] 2_2_00B0C182
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A185 mov eax, dword ptr fs:[00000030h] 2_2_00B1A185
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B741E8 mov eax, dword ptr fs:[00000030h] 2_2_00B741E8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1513A mov eax, dword ptr fs:[00000030h] 2_2_00B1513A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1513A mov eax, dword ptr fs:[00000030h] 2_2_00B1513A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h] 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h] 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h] 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h] 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B04120 mov ecx, dword ptr fs:[00000030h] 2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h] 2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h] 2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h] 2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEC962 mov eax, dword ptr fs:[00000030h] 2_2_00AEC962
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEB171 mov eax, dword ptr fs:[00000030h] 2_2_00AEB171
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEB171 mov eax, dword ptr fs:[00000030h] 2_2_00AEB171
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B944 mov eax, dword ptr fs:[00000030h] 2_2_00B0B944
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B944 mov eax, dword ptr fs:[00000030h] 2_2_00B0B944
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1FAB0 mov eax, dword ptr fs:[00000030h] 2_2_00B1FAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00AFAAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00AFAAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1D294 mov eax, dword ptr fs:[00000030h] 2_2_00B1D294
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1D294 mov eax, dword ptr fs:[00000030h] 2_2_00B1D294
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12AE4 mov eax, dword ptr fs:[00000030h] 2_2_00B12AE4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12ACB mov eax, dword ptr fs:[00000030h] 2_2_00B12ACB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h] 2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B24A2C mov eax, dword ptr fs:[00000030h] 2_2_00B24A2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B24A2C mov eax, dword ptr fs:[00000030h] 2_2_00B24A2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF8A0A mov eax, dword ptr fs:[00000030h] 2_2_00AF8A0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B03A1C mov eax, dword ptr fs:[00000030h] 2_2_00B03A1C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAAA16 mov eax, dword ptr fs:[00000030h] 2_2_00BAAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAAA16 mov eax, dword ptr fs:[00000030h] 2_2_00BAAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00AEAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00AEAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h] 2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE5210 mov ecx, dword ptr fs:[00000030h] 2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h] 2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h] 2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B2927A mov eax, dword ptr fs:[00000030h] 2_2_00B2927A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9B260 mov eax, dword ptr fs:[00000030h] 2_2_00B9B260
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9B260 mov eax, dword ptr fs:[00000030h] 2_2_00B9B260
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8A62 mov eax, dword ptr fs:[00000030h] 2_2_00BB8A62
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B74257 mov eax, dword ptr fs:[00000030h] 2_2_00B74257
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h] 2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h] 2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h] 2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h] 2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAEA55 mov eax, dword ptr fs:[00000030h] 2_2_00BAEA55
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h] 2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h] 2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h] 2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB5BA5 mov eax, dword ptr fs:[00000030h] 2_2_00BB5BA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AF1B8F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AF1B8F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1B390 mov eax, dword ptr fs:[00000030h] 2_2_00B1B390
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12397 mov eax, dword ptr fs:[00000030h] 2_2_00B12397
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA138A mov eax, dword ptr fs:[00000030h] 2_2_00BA138A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9D380 mov ecx, dword ptr fs:[00000030h] 2_2_00B9D380
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h] 2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0DBE9 mov eax, dword ptr fs:[00000030h] 2_2_00B0DBE9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B923E3 mov ecx, dword ptr fs:[00000030h] 2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B923E3 mov ecx, dword ptr fs:[00000030h] 2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B923E3 mov eax, dword ptr fs:[00000030h] 2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B653CA mov eax, dword ptr fs:[00000030h] 2_2_00B653CA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B653CA mov eax, dword ptr fs:[00000030h] 2_2_00B653CA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA131B mov eax, dword ptr fs:[00000030h] 2_2_00BA131B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h] 2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B13B7A mov eax, dword ptr fs:[00000030h] 2_2_00B13B7A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B13B7A mov eax, dword ptr fs:[00000030h] 2_2_00B13B7A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEDB60 mov ecx, dword ptr fs:[00000030h] 2_2_00AEDB60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8B58 mov eax, dword ptr fs:[00000030h] 2_2_00BB8B58
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEDB40 mov eax, dword ptr fs:[00000030h] 2_2_00AEDB40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEF358 mov eax, dword ptr fs:[00000030h] 2_2_00AEF358
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h] 2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF849B mov eax, dword ptr fs:[00000030h] 2_2_00AF849B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA14FB mov eax, dword ptr fs:[00000030h] 2_2_00BA14FB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8CD6 mov eax, dword ptr fs:[00000030h] 2_2_00BB8CD6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1BC2C mov eax, dword ptr fs:[00000030h] 2_2_00B1BC2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h] 2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h] 2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h] 2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h] 2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h] 2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h] 2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h] 2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h] 2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0746D mov eax, dword ptr fs:[00000030h] 2_2_00B0746D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7C450 mov eax, dword ptr fs:[00000030h] 2_2_00B7C450
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7C450 mov eax, dword ptr fs:[00000030h] 2_2_00B7C450
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A44B mov eax, dword ptr fs:[00000030h] 2_2_00B1A44B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B135A1 mov eax, dword ptr fs:[00000030h] 2_2_00B135A1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB05AC mov eax, dword ptr fs:[00000030h] 2_2_00BB05AC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB05AC mov eax, dword ptr fs:[00000030h] 2_2_00BB05AC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1FD9B mov eax, dword ptr fs:[00000030h] 2_2_00B1FD9B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1FD9B mov eax, dword ptr fs:[00000030h] 2_2_00B1FD9B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h] 2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h] 2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h] 2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h] 2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B98DF1 mov eax, dword ptr fs:[00000030h] 2_2_00B98DF1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B6A537 mov eax, dword ptr fs:[00000030h] 2_2_00B6A537
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAE539 mov eax, dword ptr fs:[00000030h] 2_2_00BAE539
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h] 2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h] 2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h] 2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8D34 mov eax, dword ptr fs:[00000030h] 2_2_00BB8D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEAD30 mov eax, dword ptr fs:[00000030h] 2_2_00AEAD30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0C577 mov eax, dword ptr fs:[00000030h] 2_2_00B0C577
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0C577 mov eax, dword ptr fs:[00000030h] 2_2_00B0C577
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B07D50 mov eax, dword ptr fs:[00000030h] 2_2_00B07D50
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B23D43 mov eax, dword ptr fs:[00000030h] 2_2_00B23D43
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B63540 mov eax, dword ptr fs:[00000030h] 2_2_00B63540
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B93D40 mov eax, dword ptr fs:[00000030h] 2_2_00B93D40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B646A7 mov eax, dword ptr fs:[00000030h] 2_2_00B646A7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7FE87 mov eax, dword ptr fs:[00000030h] 2_2_00B7FE87
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF76E2 mov eax, dword ptr fs:[00000030h] 2_2_00AF76E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B116E0 mov ecx, dword ptr fs:[00000030h] 2_2_00B116E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8ED6 mov eax, dword ptr fs:[00000030h] 2_2_00BB8ED6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B28EC7 mov eax, dword ptr fs:[00000030h] 2_2_00B28EC7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00B9FEC0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B136CC mov eax, dword ptr fs:[00000030h] 2_2_00B136CC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B9FE3F mov eax, dword ptr fs:[00000030h] 2_2_00B9FE3F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEE620 mov eax, dword ptr fs:[00000030h] 2_2_00AEE620
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A61C mov eax, dword ptr fs:[00000030h] 2_2_00B1A61C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A61C mov eax, dword ptr fs:[00000030h] 2_2_00B1A61C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h] 2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h] 2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h] 2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B18E00 mov eax, dword ptr fs:[00000030h] 2_2_00B18E00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BA1608 mov eax, dword ptr fs:[00000030h] 2_2_00BA1608
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF766D mov eax, dword ptr fs:[00000030h] 2_2_00AF766D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAAE44 mov eax, dword ptr fs:[00000030h] 2_2_00BAAE44
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BAAE44 mov eax, dword ptr fs:[00000030h] 2_2_00BAAE44
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h] 2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h] 2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h] 2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AF8794 mov eax, dword ptr fs:[00000030h] 2_2_00AF8794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B237F5 mov eax, dword ptr fs:[00000030h] 2_2_00B237F5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00AE4F2E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00AE4F2E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1E730 mov eax, dword ptr fs:[00000030h] 2_2_00B1E730
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B73D mov eax, dword ptr fs:[00000030h] 2_2_00B0B73D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0B73D mov eax, dword ptr fs:[00000030h] 2_2_00B0B73D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B0F716 mov eax, dword ptr fs:[00000030h] 2_2_00B0F716
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B7FF10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B7FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B7FF10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB070D mov eax, dword ptr fs:[00000030h] 2_2_00BB070D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB070D mov eax, dword ptr fs:[00000030h] 2_2_00BB070D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A70E mov eax, dword ptr fs:[00000030h] 2_2_00B1A70E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00B1A70E mov eax, dword ptr fs:[00000030h] 2_2_00B1A70E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFFF60 mov eax, dword ptr fs:[00000030h] 2_2_00AFFF60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00BB8F6A mov eax, dword ptr fs:[00000030h] 2_2_00BB8F6A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 2_2_00AFEF40 mov eax, dword ptr fs:[00000030h] 2_2_00AFEF40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D88CD6 mov eax, dword ptr fs:[00000030h] 7_2_04D88CD6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h] 7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h] 7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h] 7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D714FB mov eax, dword ptr fs:[00000030h] 7_2_04D714FB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h] 7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC849B mov eax, dword ptr fs:[00000030h] 7_2_04CC849B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D4C450 mov eax, dword ptr fs:[00000030h] 7_2_04D4C450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D4C450 mov eax, dword ptr fs:[00000030h] 7_2_04D4C450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEA44B mov eax, dword ptr fs:[00000030h] 7_2_04CEA44B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CD746D mov eax, dword ptr fs:[00000030h] 7_2_04CD746D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h] 7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h] 7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h] 7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h] 7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h] 7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h] 7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h] 7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h] 7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h] 7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEBC2C mov eax, dword ptr fs:[00000030h] 7_2_04CEBC2C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov ecx, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h] 7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D68DF1 mov eax, dword ptr fs:[00000030h] 7_2_04D68DF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CCD5E0 mov eax, dword ptr fs:[00000030h] 7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CCD5E0 mov eax, dword ptr fs:[00000030h] 7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h] 7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h] 7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h] 7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h] 7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h] 7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h] 7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h] 7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h] 7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h] 7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h] 7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h] 7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h] 7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h] 7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEFD9B mov eax, dword ptr fs:[00000030h] 7_2_04CEFD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CEFD9B mov eax, dword ptr fs:[00000030h] 7_2_04CEFD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h] 7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE35A1 mov eax, dword ptr fs:[00000030h] 7_2_04CE35A1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D805AC mov eax, dword ptr fs:[00000030h] 7_2_04D805AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D805AC mov eax, dword ptr fs:[00000030h] 7_2_04D805AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h] 7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h] 7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h] 7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CF3D43 mov eax, dword ptr fs:[00000030h] 7_2_04CF3D43
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D33540 mov eax, dword ptr fs:[00000030h] 7_2_04D33540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D63D40 mov eax, dword ptr fs:[00000030h] 7_2_04D63D40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CD7D50 mov eax, dword ptr fs:[00000030h] 7_2_04CD7D50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CDC577 mov eax, dword ptr fs:[00000030h] 7_2_04CDC577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CDC577 mov eax, dword ptr fs:[00000030h] 7_2_04CDC577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D3A537 mov eax, dword ptr fs:[00000030h] 7_2_04D3A537
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D88D34 mov eax, dword ptr fs:[00000030h] 7_2_04D88D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04D7E539 mov eax, dword ptr fs:[00000030h] 7_2_04D7E539
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h] 7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h] 7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h] 7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h] 7_2_04CC3D34
Enables debug privileges
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.theyogirunner.com
Source: C:\Windows\explorer.exe Domain query: www.kladios.com
Source: C:\Windows\explorer.exe Network Connect: 37.48.65.148 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.28ji.site
Source: C:\Windows\explorer.exe Network Connect: 104.232.96.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.hireinone.xyz
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.pecon.pro
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kingguardgroup.com
Source: C:\Windows\explorer.exe Domain query: www.rebeccannemontgomery.net
Source: C:\Windows\explorer.exe Network Connect: 35.205.61.67 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.closetofaurora.com
Source: C:\Windows\explorer.exe Domain query: www.letstrumpbiden.com
Source: C:\Windows\explorer.exe Domain query: www.goodlukc.com
Source: C:\Windows\explorer.exe Network Connect: 69.162.102.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 121.254.178.252 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.229.108 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Section loaded: unknown target: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: AE0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.684754948.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.673760254.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B88

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432567 Sample: Proforma Invoice and Bank s... Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 31 www.oilleakgames.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 Proforma Invoice and Bank swift-REG.PI-0086547654.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 57 Maps a DLL or memory area into another process 11->57 15 Proforma Invoice and Bank swift-REG.PI-0086547654.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 closetofaurora.com 162.0.229.108, 49759, 80 NAMECHEAP-NETUS Canada 18->33 35 www.kingguardgroup.com 69.162.102.218, 49763, 80 LIMESTONENETWORKSUS United States 18->35 37 13 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 22 raserver.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.48.65.148
 www.pecon.pro Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL true
104.232.96.207
 www.theyogirunner.com United States
26658 HENGTONG-IDC-LLCUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
69.162.102.218
 www.kingguardgroup.com United States
46475 LIMESTONENETWORKSUS true
121.254.178.252
 www.kladios.com Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR true
162.0.229.108
 closetofaurora.com Canada
22612 NAMECHEAP-NETUS true
35.205.61.67
 www.rebeccannemontgomery.net United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
www.theyogirunner.com 104.232.96.207 true
www.kladios.com 121.254.178.252 true
closetofaurora.com 162.0.229.108 true
www.pecon.pro 37.48.65.148 true
shops.myshopify.com 23.227.38.74 true
www.kingguardgroup.com 69.162.102.218 true
natroredirect.natrocdn.com 85.159.66.93 true
www.rebeccannemontgomery.net 35.205.61.67 true
www.closetofaurora.com unknown unknown
www.letstrumpbiden.com unknown unknown
www.28ji.site unknown unknown
www.hireinone.xyz unknown unknown
www.goodlukc.com unknown unknown
www.oilleakgames.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.kingguardgroup.com/dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn true
  • Avira URL Cloud: safe
 unknown
http://www.hireinone.xyz/dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn true
  • Avira URL Cloud: safe
 unknown
http://www.28ji.site/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H true
  • Avira URL Cloud: safe
 unknown
http://www.rebeccannemontgomery.net/dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn false
  • Avira URL Cloud: safe
 unknown
http://www.pecon.pro/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ true
  • Avira URL Cloud: safe
 unknown
http://www.theyogirunner.com/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF true
  • Avira URL Cloud: safe
 unknown
http://www.kladios.com/dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn true
  • Avira URL Cloud: safe
 unknown
http://www.closetofaurora.com/dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn true
  • Avira URL Cloud: safe
 unknown
www.rebeccannemontgomery.net/dp3a/ true
  • Avira URL Cloud: safe
 low