Analysis Report OrderKLB210568.exe

Overview

General Information

Sample Name: OrderKLB210568.exe
Analysis ID: 433298
MD5: 759b0d51f128f54e516ad1941a896d77
SHA1: 13e8d9d44cf15bcfc43952eebc3f10fcafed23a3
SHA256: a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}
Multi AV Scanner detection for submitted file
Source: OrderKLB210568.exe ReversingLabs: Detection: 32%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: OrderKLB210568.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.OrderKLB210568.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.raserver.exe.33fcd80.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.raserver.exe.5607960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.1.OrderKLB210568.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: OrderKLB210568.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe
Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.brochusuell.com/noor/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.13.194 104.16.13.194
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.tcheaptvwdmall.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Fri, 11 Jun 2021 13:43:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: OrderKLB210568.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: OrderKLB210568.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.670973820.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: raserver.exe, 00000009.00000002.923694061.0000000005782000.00000004.00000001.sdmp String found in binary or memory: https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405042
Creates a DirectInput object (often for capturing keystrokes)
Source: OrderKLB210568.exe, 00000000.00000002.667430799.00000000007AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: OrderKLB210568.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_004181C0 NtCreateFile, 1_2_004181C0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00418270 NtReadFile, 1_2_00418270
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_004182F0 NtClose, 1_2_004182F0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_004183A0 NtAllocateVirtualMemory, 1_2_004183A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041826A NtReadFile, 1_2_0041826A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00418212 NtReadFile, 1_2_00418212
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041839D NtAllocateVirtualMemory, 1_2_0041839D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00AF98F0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00AF9860
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk, 1_2_00AF9840
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk, 1_2_00AF99A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00AF9910
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk, 1_2_00AF9A20
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00AF9A00
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk, 1_2_00AF9A50
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF95D0 NtClose,LdrInitializeThunk, 1_2_00AF95D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk, 1_2_00AF9540
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00AF96E0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00AF9660
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00AF97A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00AF9780
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00AF9FE0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00AF9710
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF98A0 NtWriteVirtualMemory, 1_2_00AF98A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9820 NtEnumerateKey, 1_2_00AF9820
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AFB040 NtSuspendThread, 1_2_00AFB040
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF99D0 NtCreateProcessEx, 1_2_00AF99D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9950 NtQueueApcThread, 1_2_00AF9950
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9A80 NtOpenDirectoryObject, 1_2_00AF9A80
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9A10 NtQuerySection, 1_2_00AF9A10
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AFA3B0 NtGetContextThread, 1_2_00AFA3B0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9B00 NtSetValueKey, 1_2_00AF9B00
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF95F0 NtQueryInformationFile, 1_2_00AF95F0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9520 NtWaitForSingleObject, 1_2_00AF9520
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AFAD30 NtSetContextThread, 1_2_00AFAD30
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9560 NtWriteFile, 1_2_00AF9560
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF96D0 NtCreateKey, 1_2_00AF96D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9610 NtEnumerateValueKey, 1_2_00AF9610
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9670 NtQueryInformationProcess, 1_2_00AF9670
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9650 NtQueryValueKey, 1_2_00AF9650
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9730 NtQueryVirtualMemory, 1_2_00AF9730
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AFA710 NtOpenProcessToken, 1_2_00AFA710
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9760 NtOpenProcess, 1_2_00AF9760
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF9770 NtSetInformationFile, 1_2_00AF9770
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AFA770 NtOpenThread, 1_2_00AFA770
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_004181C0 NtCreateFile, 1_1_004181C0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00418270 NtReadFile, 1_1_00418270
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_004182F0 NtClose, 1_1_004182F0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_004183A0 NtAllocateVirtualMemory, 1_1_004183A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041826A NtReadFile, 1_1_0041826A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00418212 NtReadFile, 1_1_00418212
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041839D NtAllocateVirtualMemory, 1_1_0041839D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139540 NtReadFile,LdrInitializeThunk, 9_2_05139540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051395D0 NtClose,LdrInitializeThunk, 9_2_051395D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139710 NtQueryInformationToken,LdrInitializeThunk, 9_2_05139710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139780 NtMapViewOfSection,LdrInitializeThunk, 9_2_05139780
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139FE0 NtCreateMutant,LdrInitializeThunk, 9_2_05139FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139650 NtQueryValueKey,LdrInitializeThunk, 9_2_05139650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_05139660
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051396D0 NtCreateKey,LdrInitializeThunk, 9_2_051396D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_051396E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_05139910
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051399A0 NtCreateSection,LdrInitializeThunk, 9_2_051399A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139840 NtDelayExecution,LdrInitializeThunk, 9_2_05139840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_05139860
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139A50 NtCreateFile,LdrInitializeThunk, 9_2_05139A50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0513AD30 NtSetContextThread, 9_2_0513AD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139520 NtWaitForSingleObject, 9_2_05139520
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139560 NtWriteFile, 9_2_05139560
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051395F0 NtQueryInformationFile, 9_2_051395F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0513A710 NtOpenProcessToken, 9_2_0513A710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139730 NtQueryVirtualMemory, 9_2_05139730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0513A770 NtOpenThread, 9_2_0513A770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139770 NtSetInformationFile, 9_2_05139770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139760 NtOpenProcess, 9_2_05139760
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051397A0 NtUnmapViewOfSection, 9_2_051397A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139610 NtEnumerateValueKey, 9_2_05139610
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139670 NtQueryInformationProcess, 9_2_05139670
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139950 NtQueueApcThread, 9_2_05139950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051399D0 NtCreateProcessEx, 9_2_051399D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139820 NtEnumerateKey, 9_2_05139820
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0513B040 NtSuspendThread, 9_2_0513B040
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051398A0 NtWriteVirtualMemory, 9_2_051398A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051398F0 NtReadVirtualMemory, 9_2_051398F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139B00 NtSetValueKey, 9_2_05139B00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0513A3B0 NtGetContextThread, 9_2_0513A3B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139A10 NtQuerySection, 9_2_05139A10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139A00 NtProtectVirtualMemory, 9_2_05139A00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139A20 NtResumeThread, 9_2_05139A20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05139A80 NtOpenDirectoryObject, 9_2_05139A80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_010181C0 NtCreateFile, 9_2_010181C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_010183A0 NtAllocateVirtualMemory, 9_2_010183A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01018270 NtReadFile, 9_2_01018270
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_010182F0 NtClose, 9_2_010182F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101839D NtAllocateVirtualMemory, 9_2_0101839D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01018212 NtReadFile, 9_2_01018212
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101826A NtReadFile, 9_2_0101826A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Detected potential crypto function
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_6FC41A98 0_2_6FC41A98
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B83E 1_2_0041B83E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041C171 1_2_0041C171
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00401208 1_2_00401208
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00408C60 1_2_00408C60
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041C429 1_2_0041C429
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B4A3 1_2_0041B4A3
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041BDB4 1_2_0041BDB4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B820A8 1_2_00B820A8
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACB090 1_2_00ACB090
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B828EC 1_2_00B828EC
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8E824 1_2_00B8E824
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71002 1_2_00B71002
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABF900 1_2_00ABF900
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B822AE 1_2_00B822AE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6FA2B 1_2_00B6FA2B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEEBB0 1_2_00AEEBB0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7DBD2 1_2_00B7DBD2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B703DA 1_2_00B703DA
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B82B28 1_2_00B82B28
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC841F 1_2_00AC841F
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7D466 1_2_00B7D466
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2581 1_2_00AE2581
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACD5E0 1_2_00ACD5E0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B825DD 1_2_00B825DD
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB0D20 1_2_00AB0D20
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B82D07 1_2_00B82D07
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B81D55 1_2_00B81D55
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B82EF7 1_2_00B82EF7
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD6E30 1_2_00AD6E30
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7D616 1_2_00B7D616
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B81FF1 1_2_00B81FF1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8DFCE 1_2_00B8DFCE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00401026 1_1_00401026
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00401030 1_1_00401030
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B83E 1_1_0041B83E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041C171 1_1_0041C171
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00401208 1_1_00401208
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00408C60 1_1_00408C60
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041C429 1_1_0041C429
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B4A3 1_1_0041B4A3
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00402D90 1_1_00402D90
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041BDB4 1_1_0041BDB4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C2D07 9_2_051C2D07
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F0D20 9_2_050F0D20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C1D55 9_2_051C1D55
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122581 9_2_05122581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C25DD 9_2_051C25DD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510D5E0 9_2_0510D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510841F 9_2_0510841F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BD466 9_2_051BD466
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051CDFCE 9_2_051CDFCE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C1FF1 9_2_051C1FF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BD616 9_2_051BD616
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05116E30 9_2_05116E30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C2EF7 9_2_051C2EF7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FF900 9_2_050FF900
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1002 9_2_051B1002
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A830 9_2_0511A830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051CE824 9_2_051CE824
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510B090 9_2_0510B090
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051220A0 9_2_051220A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C20A8 9_2_051C20A8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C28EC 9_2_051C28EC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A309 9_2_0511A309
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C2B28 9_2_051C2B28
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AB40 9_2_0511AB40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512EBB0 9_2_0512EBB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B03DA 9_2_051B03DA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BDBD2 9_2_051BDBD2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512ABD8 9_2_0512ABD8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051A23E3 9_2_051A23E3
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051AFA2B 9_2_051AFA2B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C22AE 9_2_051C22AE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4AEF 9_2_051B4AEF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101C171 9_2_0101C171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101B83E 9_2_0101B83E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01002D90 9_2_01002D90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101BDB4 9_2_0101BDB4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101C429 9_2_0101C429
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01008C60 9_2_01008C60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101B4A3 9_2_0101B4A3
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01002FB0 9_2_01002FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 050FB150 appears 124 times
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: String function: 00419F70 appears 36 times
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: String function: 00ABB150 appears 45 times
Sample file is different than original file name gathered from version info
Source: OrderKLB210568.exe, 00000000.00000003.660414871.0000000009B46000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
Source: OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
Source: OrderKLB210568.exe, 00000001.00000002.720949048.0000000000A49000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameraserver.exej% vs OrderKLB210568.exe
Uses 32bit PE files
Source: OrderKLB210568.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@15/8
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: C:\Users\user\Desktop\OrderKLB210568.exe File created: C:\Users\user\AppData\Local\Temp\nsq144A.tmp Jump to behavior
Source: OrderKLB210568.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OrderKLB210568.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: OrderKLB210568.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\OrderKLB210568.exe File read: C:\Users\user\Desktop\OrderKLB210568.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe' Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe' Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe
Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Unpacked PE file: 1.2.OrderKLB210568.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_6FC42F60 push eax; ret 0_2_6FC42F8E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00416251 pushad ; retf 1_2_00416242
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00416233 pushad ; retf 1_2_00416242
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0040C2D9 push eax; retf 1_2_0040C306
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00415B74 push ebp; iretd 1_2_00415B76
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0040C307 push eax; retf 1_2_0040C306
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B46C push eax; ret 1_2_0041B472
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B402 push eax; ret 1_2_0041B408
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041B40B push eax; ret 1_2_0041B472
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_0041CD5B push ecx; ret 1_2_0041CD5E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B0D0D1 push ecx; ret 1_2_00B0D0E4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00416251 pushad ; retf 1_1_00416242
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00416233 pushad ; retf 1_1_00416242
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0040C2D9 push eax; retf 1_1_0040C306
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_00415B74 push ebp; iretd 1_1_00415B76
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0040C307 push eax; retf 1_1_0040C306
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B3B5 push eax; ret 1_1_0041B408
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B46C push eax; ret 1_1_0041B472
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B402 push eax; ret 1_1_0041B408
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041B40B push eax; ret 1_1_0041B472
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_1_0041CD5B push ecx; ret 1_1_0041CD5E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0514D0D1 push ecx; ret 9_2_0514D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0100C307 push eax; retf 9_2_0100C306
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01015B74 push ebp; iretd 9_2_01015B76
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101B3B5 push eax; ret 9_2_0101B408
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01016233 pushad ; retf 9_2_01016242
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_01016251 pushad ; retf 9_2_01016242
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0100C2D9 push eax; retf 9_2_0100C306
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101CD5B push ecx; ret 9_2_0101CD5E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0101B402 push eax; ret 9_2_0101B408

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\OrderKLB210568.exe File created: C:\Users\user\AppData\Local\Temp\nsq144C.tmp\System.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\OrderKLB210568.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OrderKLB210568.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 00000000010085E4 second address: 00000000010085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 000000000100897E second address: 0000000001008984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\OrderKLB210568.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5768 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 1284 Thread sleep time: -46000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: explorer.exe, 00000004.00000000.688063806.000000000A9D6000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.686089155.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.682313880.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.686089155.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.678930816.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.686288903.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.686368978.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.681889045.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00409B20 LdrLoadDll, 1_2_00409B20
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF90AF mov eax, dword ptr fs:[00000030h] 1_2_00AF90AF
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9080 mov eax, dword ptr fs:[00000030h] 1_2_00AB9080
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h] 1_2_00B33884
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h] 1_2_00B33884
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB58EC mov eax, dword ptr fs:[00000030h] 1_2_00AB58EC
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h] 1_2_00B84015
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h] 1_2_00B84015
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B72073 mov eax, dword ptr fs:[00000030h] 1_2_00B72073
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B81074 mov eax, dword ptr fs:[00000030h] 1_2_00B81074
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h] 1_2_00AD0050
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h] 1_2_00AD0050
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE61A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE61A0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B369A6 mov eax, dword ptr fs:[00000030h] 1_2_00B369A6
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA185 mov eax, dword ptr fs:[00000030h] 1_2_00AEA185
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADC182 mov eax, dword ptr fs:[00000030h] 1_2_00ADC182
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2990 mov eax, dword ptr fs:[00000030h] 1_2_00AE2990
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B441E8 mov eax, dword ptr fs:[00000030h] 1_2_00B441E8
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD4120 mov ecx, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h] 1_2_00AE513A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h] 1_2_00AE513A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABC962 mov eax, dword ptr fs:[00000030h] 1_2_00ABC962
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h] 1_2_00ABB171
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h] 1_2_00ABB171
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h] 1_2_00ADB944
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h] 1_2_00ADB944
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACAAB0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACAAB0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AEFAB0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h] 1_2_00AED294
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h] 1_2_00AED294
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00AE2AE4
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2ACB mov eax, dword ptr fs:[00000030h] 1_2_00AE2ACB
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AF4A2C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AF4A2C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B7AA16
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B7AA16
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC8A0A mov eax, dword ptr fs:[00000030h] 1_2_00AC8A0A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD3A1C mov eax, dword ptr fs:[00000030h] 1_2_00AD3A1C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB5210 mov ecx, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ABAA16
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ABAA16
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF927A mov eax, dword ptr fs:[00000030h] 1_2_00AF927A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h] 1_2_00B6B260
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h] 1_2_00B6B260
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88A62 mov eax, dword ptr fs:[00000030h] 1_2_00B88A62
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7EA55 mov eax, dword ptr fs:[00000030h] 1_2_00B7EA55
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B44257 mov eax, dword ptr fs:[00000030h] 1_2_00B44257
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B85BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B85BA5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AC1B8F
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AC1B8F
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6D380 mov ecx, dword ptr fs:[00000030h] 1_2_00B6D380
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2397 mov eax, dword ptr fs:[00000030h] 1_2_00AE2397
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7138A mov eax, dword ptr fs:[00000030h] 1_2_00B7138A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEB390 mov eax, dword ptr fs:[00000030h] 1_2_00AEB390
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADDBE9 mov eax, dword ptr fs:[00000030h] 1_2_00ADDBE9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h] 1_2_00B353CA
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h] 1_2_00B353CA
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7131B mov eax, dword ptr fs:[00000030h] 1_2_00B7131B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABDB60 mov ecx, dword ptr fs:[00000030h] 1_2_00ABDB60
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AE3B7A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AE3B7A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88B58 mov eax, dword ptr fs:[00000030h] 1_2_00B88B58
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABDB40 mov eax, dword ptr fs:[00000030h] 1_2_00ABDB40
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABF358 mov eax, dword ptr fs:[00000030h] 1_2_00ABF358
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC849B mov eax, dword ptr fs:[00000030h] 1_2_00AC849B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B714FB mov eax, dword ptr fs:[00000030h] 1_2_00B714FB
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B88CD6
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEBC2C mov eax, dword ptr fs:[00000030h] 1_2_00AEBC2C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD746D mov eax, dword ptr fs:[00000030h] 1_2_00AD746D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h] 1_2_00B4C450
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h] 1_2_00B4C450
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA44B mov eax, dword ptr fs:[00000030h] 1_2_00AEA44B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE35A1 mov eax, dword ptr fs:[00000030h] 1_2_00AE35A1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h] 1_2_00B805AC
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h] 1_2_00B805AC
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 1_2_00AEFD9B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 1_2_00AEFD9B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B68DF1 mov eax, dword ptr fs:[00000030h] 1_2_00B68DF1
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ACD5E0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ACD5E0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B3A537 mov eax, dword ptr fs:[00000030h] 1_2_00B3A537
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88D34 mov eax, dword ptr fs:[00000030h] 1_2_00B88D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7E539 mov eax, dword ptr fs:[00000030h] 1_2_00B7E539
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABAD30 mov eax, dword ptr fs:[00000030h] 1_2_00ABAD30
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h] 1_2_00ADC577
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h] 1_2_00ADC577
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF3D43 mov eax, dword ptr fs:[00000030h] 1_2_00AF3D43
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B33540 mov eax, dword ptr fs:[00000030h] 1_2_00B33540
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B63D40 mov eax, dword ptr fs:[00000030h] 1_2_00B63D40
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AD7D50 mov eax, dword ptr fs:[00000030h] 1_2_00AD7D50
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B346A7 mov eax, dword ptr fs:[00000030h] 1_2_00B346A7
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4FE87 mov eax, dword ptr fs:[00000030h] 1_2_00B4FE87
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00AE16E0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC76E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC76E2
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE36CC mov eax, dword ptr fs:[00000030h] 1_2_00AE36CC
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00AF8EC7
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B88ED6
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00B6FEC0
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B6FE3F mov eax, dword ptr fs:[00000030h] 1_2_00B6FE3F
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABE620 mov eax, dword ptr fs:[00000030h] 1_2_00ABE620
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AE8E00 mov eax, dword ptr fs:[00000030h] 1_2_00AE8E00
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h] 1_2_00AEA61C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h] 1_2_00AEA61C
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B71608 mov eax, dword ptr fs:[00000030h] 1_2_00B71608
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC766D mov eax, dword ptr fs:[00000030h] 1_2_00AC766D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B7AE44
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B7AE44
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AC8794 mov eax, dword ptr fs:[00000030h] 1_2_00AC8794
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AF37F5 mov eax, dword ptr fs:[00000030h] 1_2_00AF37F5
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 1_2_00AB4F2E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 1_2_00AB4F2E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEE730 mov eax, dword ptr fs:[00000030h] 1_2_00AEE730
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA70E mov eax, dword ptr fs:[00000030h] 1_2_00AEA70E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00AEA70E mov eax, dword ptr fs:[00000030h] 1_2_00AEA70E
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B4FF10
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B4FF10
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8070D mov eax, dword ptr fs:[00000030h] 1_2_00B8070D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B8070D mov eax, dword ptr fs:[00000030h] 1_2_00B8070D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ADF716 mov eax, dword ptr fs:[00000030h] 1_2_00ADF716
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACFF60 mov eax, dword ptr fs:[00000030h] 1_2_00ACFF60
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00B88F6A mov eax, dword ptr fs:[00000030h] 1_2_00B88F6A
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 1_2_00ACEF40 mov eax, dword ptr fs:[00000030h] 1_2_00ACEF40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0517A537 mov eax, dword ptr fs:[00000030h] 9_2_0517A537
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BE539 mov eax, dword ptr fs:[00000030h] 9_2_051BE539
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05103D34 mov eax, dword ptr fs:[00000030h] 9_2_05103D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C8D34 mov eax, dword ptr fs:[00000030h] 9_2_051C8D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h] 9_2_05124D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h] 9_2_05124D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05124D3B mov eax, dword ptr fs:[00000030h] 9_2_05124D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FAD30 mov eax, dword ptr fs:[00000030h] 9_2_050FAD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05117D50 mov eax, dword ptr fs:[00000030h] 9_2_05117D50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05133D43 mov eax, dword ptr fs:[00000030h] 9_2_05133D43
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05173540 mov eax, dword ptr fs:[00000030h] 9_2_05173540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051A3D40 mov eax, dword ptr fs:[00000030h] 9_2_051A3D40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511C577 mov eax, dword ptr fs:[00000030h] 9_2_0511C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511C577 mov eax, dword ptr fs:[00000030h] 9_2_0511C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h] 9_2_050F2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h] 9_2_050F2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h] 9_2_050F2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h] 9_2_050F2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F2D8A mov eax, dword ptr fs:[00000030h] 9_2_050F2D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512FD9B mov eax, dword ptr fs:[00000030h] 9_2_0512FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512FD9B mov eax, dword ptr fs:[00000030h] 9_2_0512FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122581 mov eax, dword ptr fs:[00000030h] 9_2_05122581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122581 mov eax, dword ptr fs:[00000030h] 9_2_05122581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122581 mov eax, dword ptr fs:[00000030h] 9_2_05122581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122581 mov eax, dword ptr fs:[00000030h] 9_2_05122581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h] 9_2_05121DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h] 9_2_05121DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05121DB5 mov eax, dword ptr fs:[00000030h] 9_2_05121DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C05AC mov eax, dword ptr fs:[00000030h] 9_2_051C05AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C05AC mov eax, dword ptr fs:[00000030h] 9_2_051C05AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051235A1 mov eax, dword ptr fs:[00000030h] 9_2_051235A1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov ecx, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176DC9 mov eax, dword ptr fs:[00000030h] 9_2_05176DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051A8DF1 mov eax, dword ptr fs:[00000030h] 9_2_051A8DF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0510D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0510D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h] 9_2_051BFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h] 9_2_051BFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h] 9_2_051BFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BFDE2 mov eax, dword ptr fs:[00000030h] 9_2_051BFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C740D mov eax, dword ptr fs:[00000030h] 9_2_051C740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C740D mov eax, dword ptr fs:[00000030h] 9_2_051C740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C740D mov eax, dword ptr fs:[00000030h] 9_2_051C740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1C06 mov eax, dword ptr fs:[00000030h] 9_2_051B1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h] 9_2_05176C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h] 9_2_05176C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h] 9_2_05176C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176C0A mov eax, dword ptr fs:[00000030h] 9_2_05176C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512BC2C mov eax, dword ptr fs:[00000030h] 9_2_0512BC2C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0518C450 mov eax, dword ptr fs:[00000030h] 9_2_0518C450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0518C450 mov eax, dword ptr fs:[00000030h] 9_2_0518C450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A44B mov eax, dword ptr fs:[00000030h] 9_2_0512A44B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512AC7B mov eax, dword ptr fs:[00000030h] 9_2_0512AC7B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511746D mov eax, dword ptr fs:[00000030h] 9_2_0511746D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510849B mov eax, dword ptr fs:[00000030h] 9_2_0510849B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B4496 mov eax, dword ptr fs:[00000030h] 9_2_051B4496
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C8CD6 mov eax, dword ptr fs:[00000030h] 9_2_051C8CD6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B14FB mov eax, dword ptr fs:[00000030h] 9_2_051B14FB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h] 9_2_05176CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h] 9_2_05176CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05176CF0 mov eax, dword ptr fs:[00000030h] 9_2_05176CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511F716 mov eax, dword ptr fs:[00000030h] 9_2_0511F716
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0518FF10 mov eax, dword ptr fs:[00000030h] 9_2_0518FF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0518FF10 mov eax, dword ptr fs:[00000030h] 9_2_0518FF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C070D mov eax, dword ptr fs:[00000030h] 9_2_051C070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C070D mov eax, dword ptr fs:[00000030h] 9_2_051C070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A70E mov eax, dword ptr fs:[00000030h] 9_2_0512A70E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A70E mov eax, dword ptr fs:[00000030h] 9_2_0512A70E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F4F2E mov eax, dword ptr fs:[00000030h] 9_2_050F4F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F4F2E mov eax, dword ptr fs:[00000030h] 9_2_050F4F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512E730 mov eax, dword ptr fs:[00000030h] 9_2_0512E730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511B73D mov eax, dword ptr fs:[00000030h] 9_2_0511B73D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511B73D mov eax, dword ptr fs:[00000030h] 9_2_0511B73D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510EF40 mov eax, dword ptr fs:[00000030h] 9_2_0510EF40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510FF60 mov eax, dword ptr fs:[00000030h] 9_2_0510FF60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C8F6A mov eax, dword ptr fs:[00000030h] 9_2_051C8F6A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177794 mov eax, dword ptr fs:[00000030h] 9_2_05177794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177794 mov eax, dword ptr fs:[00000030h] 9_2_05177794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177794 mov eax, dword ptr fs:[00000030h] 9_2_05177794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05108794 mov eax, dword ptr fs:[00000030h] 9_2_05108794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051337F5 mov eax, dword ptr fs:[00000030h] 9_2_051337F5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A61C mov eax, dword ptr fs:[00000030h] 9_2_0512A61C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A61C mov eax, dword ptr fs:[00000030h] 9_2_0512A61C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h] 9_2_050FC600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h] 9_2_050FC600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FC600 mov eax, dword ptr fs:[00000030h] 9_2_050FC600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05128E00 mov eax, dword ptr fs:[00000030h] 9_2_05128E00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B1608 mov eax, dword ptr fs:[00000030h] 9_2_051B1608
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051AFE3F mov eax, dword ptr fs:[00000030h] 9_2_051AFE3F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FE620 mov eax, dword ptr fs:[00000030h] 9_2_050FE620
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05107E41 mov eax, dword ptr fs:[00000030h] 9_2_05107E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BAE44 mov eax, dword ptr fs:[00000030h] 9_2_051BAE44
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051BAE44 mov eax, dword ptr fs:[00000030h] 9_2_051BAE44
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h] 9_2_0511AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h] 9_2_0511AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h] 9_2_0511AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h] 9_2_0511AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511AE73 mov eax, dword ptr fs:[00000030h] 9_2_0511AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510766D mov eax, dword ptr fs:[00000030h] 9_2_0510766D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0518FE87 mov eax, dword ptr fs:[00000030h] 9_2_0518FE87
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051746A7 mov eax, dword ptr fs:[00000030h] 9_2_051746A7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h] 9_2_051C0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h] 9_2_051C0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C0EA5 mov eax, dword ptr fs:[00000030h] 9_2_051C0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C8ED6 mov eax, dword ptr fs:[00000030h] 9_2_051C8ED6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05138EC7 mov eax, dword ptr fs:[00000030h] 9_2_05138EC7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051AFEC0 mov eax, dword ptr fs:[00000030h] 9_2_051AFEC0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051236CC mov eax, dword ptr fs:[00000030h] 9_2_051236CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051216E0 mov ecx, dword ptr fs:[00000030h] 9_2_051216E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051076E2 mov eax, dword ptr fs:[00000030h] 9_2_051076E2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h] 9_2_050F9100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h] 9_2_050F9100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050F9100 mov eax, dword ptr fs:[00000030h] 9_2_050F9100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512513A mov eax, dword ptr fs:[00000030h] 9_2_0512513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512513A mov eax, dword ptr fs:[00000030h] 9_2_0512513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 mov eax, dword ptr fs:[00000030h] 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 mov eax, dword ptr fs:[00000030h] 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 mov eax, dword ptr fs:[00000030h] 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 mov eax, dword ptr fs:[00000030h] 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05114120 mov ecx, dword ptr fs:[00000030h] 9_2_05114120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511B944 mov eax, dword ptr fs:[00000030h] 9_2_0511B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511B944 mov eax, dword ptr fs:[00000030h] 9_2_0511B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FC962 mov eax, dword ptr fs:[00000030h] 9_2_050FC962
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FB171 mov eax, dword ptr fs:[00000030h] 9_2_050FB171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FB171 mov eax, dword ptr fs:[00000030h] 9_2_050FB171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05122990 mov eax, dword ptr fs:[00000030h] 9_2_05122990
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511C182 mov eax, dword ptr fs:[00000030h] 9_2_0511C182
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512A185 mov eax, dword ptr fs:[00000030h] 9_2_0512A185
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051751BE mov eax, dword ptr fs:[00000030h] 9_2_051751BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051751BE mov eax, dword ptr fs:[00000030h] 9_2_051751BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051751BE mov eax, dword ptr fs:[00000030h] 9_2_051751BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051751BE mov eax, dword ptr fs:[00000030h] 9_2_051751BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov eax, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov eax, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov eax, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov ecx, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051199BF mov eax, dword ptr fs:[00000030h] 9_2_051199BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051769A6 mov eax, dword ptr fs:[00000030h] 9_2_051769A6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051261A0 mov eax, dword ptr fs:[00000030h] 9_2_051261A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051261A0 mov eax, dword ptr fs:[00000030h] 9_2_051261A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h] 9_2_051B49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h] 9_2_051B49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h] 9_2_051B49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051B49A4 mov eax, dword ptr fs:[00000030h] 9_2_051B49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h] 9_2_050FB1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h] 9_2_050FB1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_050FB1E1 mov eax, dword ptr fs:[00000030h] 9_2_050FB1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051841E8 mov eax, dword ptr fs:[00000030h] 9_2_051841E8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177016 mov eax, dword ptr fs:[00000030h] 9_2_05177016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177016 mov eax, dword ptr fs:[00000030h] 9_2_05177016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_05177016 mov eax, dword ptr fs:[00000030h] 9_2_05177016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C4015 mov eax, dword ptr fs:[00000030h] 9_2_051C4015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_051C4015 mov eax, dword ptr fs:[00000030h] 9_2_051C4015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h] 9_2_0511A830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h] 9_2_0511A830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h] 9_2_0511A830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0511A830 mov eax, dword ptr fs:[00000030h] 9_2_0511A830
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h] 9_2_0510B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h] 9_2_0510B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h] 9_2_0510B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0510B02A mov eax, dword ptr fs:[00000030h] 9_2_0510B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512002D mov eax, dword ptr fs:[00000030h] 9_2_0512002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 9_2_0512002D mov eax, dword ptr fs:[00000030h] 9_2_0512002D
Enables debug privileges
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 154.201.212.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.87.1.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.marryobaidanjum.com
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.54 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.plafon.one
Source: C:\Windows\explorer.exe Domain query: www.tcheaptvwdmall.com
Source: C:\Windows\explorer.exe Domain query: www.scgcarriers.com
Source: C:\Windows\explorer.exe Domain query: www.customtiletables.com
Source: C:\Windows\explorer.exe Domain query: www.velvetlaceextensions.com
Source: C:\Windows\explorer.exe Domain query: www.trueandbare.com
Source: C:\Windows\explorer.exe Network Connect: 162.144.21.92 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.215.126.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.16.13.194 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.pinnacleautism.com
Source: C:\Windows\explorer.exe Network Connect: 142.250.180.243 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.jarsofjoybylinathomas.com
Source: C:\Windows\explorer.exe Domain query: www.astromaritravel.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\OrderKLB210568.exe Section loaded: unknown target: C:\Users\user\Desktop\OrderKLB210568.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\OrderKLB210568.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\OrderKLB210568.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 12B0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OrderKLB210568.exe Process created: C:\Users\user\Desktop\OrderKLB210568.exe 'C:\Users\user\Desktop\OrderKLB210568.exe' Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\OrderKLB210568.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.697916766.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.669867758.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.923196750.0000000003990000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.686288903.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B88

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433298 Sample: OrderKLB210568.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 www.voyagoezy.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 OrderKLB210568.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 55 Detected unpacking (changes PE section rights) 11->55 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 OrderKLB210568.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 trueandbare.com 162.144.21.92, 49767, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.customtiletables.com 154.201.212.113, 49773, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->35 37 15 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.144.21.92
 trueandbare.com United States
46606 UNIFIEDLAYER-AS-1US true
154.201.212.113
 www.customtiletables.com Seychelles
132839 POWERLINE-AS-APPOWERLINEDATACENTERHK true
45.87.1.159
 www.plafon.one Netherlands
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true
34.215.126.147
 www.scgcarriers.com United States
16509 AMAZON-02US true
104.16.13.194
 target.clickfunnels.com United States
13335 CLOUDFLARENETUS false
35.246.6.109
 td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
74.208.236.54
 www.pinnacleautism.com United States
8560 ONEANDONE-ASBrauerstrasse48DE true
142.250.180.243
 ghs.googlehosted.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
www.plafon.one 45.87.1.159 true
www.pinnacleautism.com 74.208.236.54 true
www.scgcarriers.com 34.215.126.147 true
trueandbare.com 162.144.21.92 true
www.customtiletables.com 154.201.212.113 true
ghs.googlehosted.com 142.250.180.243 true
target.clickfunnels.com 104.16.13.194 true
www.trueandbare.com unknown unknown
www.voyagoezy.com unknown unknown
www.marryobaidanjum.com unknown unknown
www.tcheaptvwdmall.com unknown unknown
www.jarsofjoybylinathomas.com unknown unknown
www.velvetlaceextensions.com unknown unknown
www.astromaritravel.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.scgcarriers.com/noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown
http://www.pinnacleautism.com/noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown
http://www.customtiletables.com/noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown
www.brochusuell.com/noor/ true
  • Avira URL Cloud: safe
 low
http://www.trueandbare.com/noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown
http://www.astromaritravel.com/noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 false
  • Avira URL Cloud: safe
 unknown
http://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown
http://www.velvetlaceextensions.com/noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 false
  • Avira URL Cloud: safe
 unknown
http://www.marryobaidanjum.com/noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 true
  • Avira URL Cloud: safe
 unknown