Windows Analysis Report FedEx TRACKING DETAILS.exe

AV Detection:

Found malware configuration

Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hdetpnipa.xyz/a34b/"], "decoy": ["mesonarte.com", "eksiwakun9.xyz", "dustcollectionconsultant.com", "heliosarchitecture.com", "chinaanalysisgroup.com", "nimbinhillshemp.com", "ychain.biz", "mountshastaart.com", "monstermangoloco.com", "bodhiandbear.com", "rootednft.xyz", "metayema.com", "zw21.xyz", "criccketworld.com", "segurobarato.net", "ananyacap.com", "momo-momo.xyz", "ezrealestatedeals.com", "ghrde.xyz", "idimol.com", "pcthspoe.xyz", "thewhiteswanharringworth.com", "che8760.com", "85111280.xyz", "apteka-magnolia.com", "proach.online", "portfolioabeckford.com", "affilinvest.com", "subspank.xyz", "odessamadrecoffeehouse.com", "onetrade.biz", "tianfuhg.com", "kibtitalikeniwenti.com", "terriblearttours.com", "saudirelief.com", "metacourting.xyz", "kimera.blue", "mgpsfm.com", "metawzrd.com", "veahhiodl.xyz", "alimasurfhotel.com", "sirensandiego.com", "gd-hxgg.com", "aurorarift.com", "clingbee.com", "zettavisor2021.xyz", "gregoryryankramer.art", "robertsonfandc.com", "sociedadgeograficacafe.com", "emilyhkeefer.com", "v-hush.com", "judithtuttle.xyz", "itbrandlink.com", "carrybicycles.com", "storge-evolution.com", "socnhhpa.xyz", "victorzark.com", "ghettoguy.com", "redtruckguy.com", "jeanmariewallendorf.com", "ocpdtel.xyz", "democracies.online", "bw529twonineh5.world", "chinhdohuyenthoai.xyz"]}

Multi AV Scanner detection for submitted file

Source: FedEx TRACKING DETAILS.exe	Virustotal: Detection: 36%			Perma Link
Source: FedEx TRACKING DETAILS.exe	ReversingLabs: Detection: 51%

Yara detected FormBook

Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.hdetpnipa.xyz/a34b/

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: www.hdetpnipa.xyz/a34b/

Virustotal: Detection: 9%

Perma Link

Machine Learning detection for sample

Source: FedEx TRACKING DETAILS.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.3.FedEx TRACKING DETAILS.exe.26e1534.338.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.291.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1914.140.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0fb8.93.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c975c.64.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c95f8.303.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1104.107.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd434.350.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de008.143.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c53cc.145.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd954.118.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d4014.184.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d858c.229.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb8c4.81.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1c44.353.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1348.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c45dc.85.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.11.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de3c4.151.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6ecc.218.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1104.108.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d421c.193.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4008.14.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd3f0.111.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb8c4.79.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d2eac.171.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d4014.182.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e2180.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0fb8.90.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e74.106.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5504.154.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d91b4.253.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.6c0000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e4008.202.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e0fb8.321.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ca2bc.309.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9ca8.51.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9494.258.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e130c.333.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9ca8.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd43c.356.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c0fd0.47.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d2c04.162.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cc0b4.22.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26db95c.311.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c527c.138.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e70.99.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c11a0.61.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de3c4.148.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de758.159.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ca1c8.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c93bc.50.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd3f4.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d3840.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ad4.238.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e4008.200.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dffc8.172.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9434.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de758.156.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2104.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dddf4.126.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d39ac.179.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dffc8.170.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd3f4.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e10e4.331.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb5dc.77.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ccd98.322.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1804.49.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cc5dc.318.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.298.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d4160.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1914.139.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d421c.191.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.297.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1d94.192.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1804.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9e2c.299.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6d44.214.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9128.40.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1bb4.149.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9434.287.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd440.354.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c92b0.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e0008.319.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c11a0.60.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd3f0.109.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d2eac.168.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9c84.286.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c93bc.48.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.logagent.exe.725b0000.3.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c51a0.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d36c4.175.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d149c.117.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb6b8.20.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5040.115.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ca2bc.310.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9acc.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9c84.289.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e0008.317.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1d94.195.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6ecc.217.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ed4.245.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26da3b4.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd1a0.340.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ddef4.132.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e0fb8.323.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26bee4c.18.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd954.116.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9128.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c0cf0.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dc210.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d18b4.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cc5dc.316.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d18b4.133.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5288.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ccd98.320.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd08c.337.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d68d4.204.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd2b4.345.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d77e8.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1534.339.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ca1c8.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cfffc.313.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6cd0.209.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1d74.66.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb6b8.21.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1094.327.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.0.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1348.41.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4d98.91.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d7438.222.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.2.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e3840.314.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1094.325.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd2dc.102.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.7.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1e24.155.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cc0b4.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9b24.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c0fd0.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6cd0.210.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26bc0d0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c51a0.122.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2ff0.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5278.130.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9dd4.295.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1c44.355.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26bdfc0.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9b24.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d858c.230.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c527c.137.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5288.19.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd2b4.344.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1ad8.187.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e3840.315.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c95f8.305.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.293.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c6618.181.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d99e8.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ccf78.332.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dc210.26.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c45dc.86.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c53cc.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd43c.358.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d6d44.212.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0008.87.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c903c.255.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cce68.324.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c6178.173.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e1ad8.185.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2278.78.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd1a0.342.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e70.97.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26da00c.304.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d68d4.206.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0008.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26bde24.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e130c.335.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26de008.141.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd2dc.101.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.273.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c0cf0.32.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4008.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4d98.89.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c975c.62.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d52a4.201.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c91ac.261.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d77e8.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c92b0.269.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd1dc.95.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d7438.220.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ad4.237.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dfbf8.166.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d17c8.124.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd440.352.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9494.256.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dfbf8.164.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cb5dc.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8008.224.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dddf4.125.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c6178.174.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2104.76.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1d74.63.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c91ac.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2278.80.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.3.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d36c4.176.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.725b0000.1.unpack	Avira: Label: TR/Crypt.Morphine.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ccf78.334.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ed4.246.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d39ac.180.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c2ff0.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26dd1dc.92.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e175c.341.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9acc.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e10e4.329.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.0.logagent.exe.6c0000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d2c04.165.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e74.105.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0f64.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d8008.226.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1e24.157.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9e2c.301.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d3840.83.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d99e8.270.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d9dd4.292.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e2180.53.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d1bb4.146.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d52a4.198.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5278.129.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5504.153.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d17c8.123.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd08c.336.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cce68.326.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d4160.23.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c903c.257.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26db95c.312.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c5040.113.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d0f64.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26ddef4.134.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26cd434.348.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d149c.114.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26da00c.307.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.logagent.exe.6c0000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26e175c.343.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26da3b4.65.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.280.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26d91b4.250.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.FedEx TRACKING DETAILS.exe.26c6618.183.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: FedEx TRACKING DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.377390699.000000000543C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377407261.000000000543D000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.392961331.00000000032F2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: logagent.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.hdetpnipa.xyz/a34b/

URLs found in memory or binary data

Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312773374.00000000007F8000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.309668822.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 0000000B.00000002.393477883.0000000005410000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmp	String found in binary or memory: https://3eie8a.sn.files.1drv.com/
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312773374.00000000007F8000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.309668822.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp	String found in binary or memory: https://3eie8a.sn.files.1drv.com/C
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312794774.0000000000832000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp	String found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mPZtA9xPxqg1XkAX9-qUmR9UIvDv4jsOqvEGGW7e_sHrucIbMm3Gtnd2oRX03KcuO
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp	String found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mTGtN2XEyFxr4Fwg2GfGDYA-weizJsEgCfvnFlKm_xwhWQiYk4SVd3YN1FLBVj9kD
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp	String found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mwmaWo75uzUwtwpwSnt0PfQZClqYm-BqTi81xEEYBIo3hzrTU99nIAl5l4jRjpvu3
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312794774.0000000000832000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/B&resid=C34B41C1B35825CB%21140&authkey=AN9sEgEIgUt16GA
Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=C34B41C1B35825CB&resid=C34B41C1B35825CB%21140&authkey=AN9sEgE

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: FedEx TRACKING DETAILS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

One or more processes crash

Source: C:\Windows\SysWOW64\logagent.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368

Detected potential crypto function

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_048020A8		7_2_048020A8
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474841F		7_2_0474841F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1002		7_2_047F1002
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474B090		7_2_0474B090
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04730D20		7_2_04730D20
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473F900		7_2_0473F900
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04802D07		7_2_04802D07
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474D5E0		7_2_0474D5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04801D55		7_2_04801D55
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762581		7_2_04762581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_048022AE		7_2_048022AE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04756E30		7_2_04756E30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04802EF7		7_2_04802EF7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04801FF1		7_2_04801FF1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04802B28		7_2_04802B28
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FDBD2		7_2_047FDBD2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476EBB0		7_2_0476EBB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\logagent.exe

Code function: String function: 0473B150 appears 35 times

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,		7_2_04779860
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_04779660
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_047796E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477B040 NtSuspendThread,		7_2_0477B040
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779840 NtDelayExecution,		7_2_04779840
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779820 NtEnumerateKey,		7_2_04779820
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047798F0 NtReadVirtualMemory,		7_2_047798F0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047798A0 NtWriteVirtualMemory,		7_2_047798A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779560 NtWriteFile,		7_2_04779560
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779950 NtQueueApcThread,		7_2_04779950
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779540 NtReadFile,		7_2_04779540
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477AD30 NtSetContextThread,		7_2_0477AD30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779520 NtWaitForSingleObject,		7_2_04779520
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779910 NtAdjustPrivilegesToken,		7_2_04779910
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047795F0 NtQueryInformationFile,		7_2_047795F0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047799D0 NtCreateProcessEx,		7_2_047799D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047795D0 NtClose,		7_2_047795D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047799A0 NtCreateSection,		7_2_047799A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779670 NtQueryInformationProcess,		7_2_04779670
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779A50 NtCreateFile,		7_2_04779A50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779650 NtQueryValueKey,		7_2_04779650
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779A20 NtResumeThread,		7_2_04779A20
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779610 NtEnumerateValueKey,		7_2_04779610
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779A10 NtQuerySection,		7_2_04779A10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779A00 NtProtectVirtualMemory,		7_2_04779A00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047796D0 NtCreateKey,		7_2_047796D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779A80 NtOpenDirectoryObject,		7_2_04779A80
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779770 NtSetInformationFile,		7_2_04779770
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477A770 NtOpenThread,		7_2_0477A770
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779760 NtOpenProcess,		7_2_04779760
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779730 NtQueryVirtualMemory,		7_2_04779730
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477A710 NtOpenProcessToken,		7_2_0477A710
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779710 NtQueryInformationToken,		7_2_04779710
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779B00 NtSetValueKey,		7_2_04779B00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779FE0 NtCreateMutant,		7_2_04779FE0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477A3B0 NtGetContextThread,		7_2_0477A3B0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047797A0 NtUnmapViewOfSection,		7_2_047797A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04779780 NtMapViewOfSection,		7_2_04779780

PE file contains strange resources

Source: FedEx TRACKING DETAILS.exe

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Section loaded: amsiproxy.dll			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Section loaded: amsiproxy.dll			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725B0000 page no access			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725B0000 page read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725B1000 page read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: 725E0000 page read and write			Jump to behavior

Sample is known by Antivirus

Source: FedEx TRACKING DETAILS.exe	Virustotal: Detection: 36%
Source: FedEx TRACKING DETAILS.exe	ReversingLabs: Detection: 51%

Sample reads its own file content

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

File read: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe "C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\SysWOW64\logagent.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Ipknvfrclgulizdtylbxizfhvowtamb[1]

Jump to behavior

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC41.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@2/0

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144

Reads the hosts file

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.377390699.000000000543C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377407261.000000000543D000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.392961331.00000000032F2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
Source:	Binary string: logagent.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Code function: 1_3_02641752 push edx; ret		1_3_02641761
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0478D0D1 push ecx; ret		7_2_0478D0E4

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\logagent.exe	RDTSC instruction interceptor: First address: 00000000006C9904 second address: 00000000006C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe	RDTSC instruction interceptor: First address: 00000000006C9B7E second address: 00000000006C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 7_2_04776DE6 rdtsc

7_2_04776DE6

Queries a list of all running processes

Source: C:\Windows\SysWOW64\logagent.exe

Process information queried: ProcessInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: WerFault.exe, 0000000B.00000002.393404168.00000000053F0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWx!B
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000B.00000003.390796145.000000000540E000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.393477883.0000000005410000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 7_2_04776DE6 rdtsc

7_2_04776DE6

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F2073 mov eax, dword ptr fs:[00000030h]		7_2_047F2073
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475746D mov eax, dword ptr fs:[00000030h]		7_2_0475746D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04750050 mov eax, dword ptr fs:[00000030h]		7_2_04750050
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04750050 mov eax, dword ptr fs:[00000030h]		7_2_04750050
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CC450 mov eax, dword ptr fs:[00000030h]		7_2_047CC450
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CC450 mov eax, dword ptr fs:[00000030h]		7_2_047CC450
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A44B mov eax, dword ptr fs:[00000030h]		7_2_0476A44B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808CD6 mov eax, dword ptr fs:[00000030h]		7_2_04808CD6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476BC2C mov eax, dword ptr fs:[00000030h]		7_2_0476BC2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]		7_2_0476002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]		7_2_0476002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]		7_2_0476002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]		7_2_0476002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]		7_2_0476002D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]		7_2_0474B02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]		7_2_0474B02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]		7_2_0474B02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]		7_2_0474B02A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]		7_2_047B7016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]		7_2_047B7016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]		7_2_047B7016
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]		7_2_047B6C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]		7_2_047B6C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]		7_2_047B6C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]		7_2_047B6C0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]		7_2_047F1C06
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F14FB mov eax, dword ptr fs:[00000030h]		7_2_047F14FB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]		7_2_047B6CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]		7_2_047B6CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]		7_2_047B6CF0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]		7_2_0480740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]		7_2_0480740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]		7_2_0480740D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04804015 mov eax, dword ptr fs:[00000030h]		7_2_04804015
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04804015 mov eax, dword ptr fs:[00000030h]		7_2_04804015
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047358EC mov eax, dword ptr fs:[00000030h]		7_2_047358EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov ecx, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]		7_2_047CB8D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476F0BF mov ecx, dword ptr fs:[00000030h]		7_2_0476F0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476F0BF mov eax, dword ptr fs:[00000030h]		7_2_0476F0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476F0BF mov eax, dword ptr fs:[00000030h]		7_2_0476F0BF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]		7_2_047620A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047790AF mov eax, dword ptr fs:[00000030h]		7_2_047790AF
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474849B mov eax, dword ptr fs:[00000030h]		7_2_0474849B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739080 mov eax, dword ptr fs:[00000030h]		7_2_04739080
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04801074 mov eax, dword ptr fs:[00000030h]		7_2_04801074
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B3884 mov eax, dword ptr fs:[00000030h]		7_2_047B3884
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B3884 mov eax, dword ptr fs:[00000030h]		7_2_047B3884
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473B171 mov eax, dword ptr fs:[00000030h]		7_2_0473B171
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473B171 mov eax, dword ptr fs:[00000030h]		7_2_0473B171
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475C577 mov eax, dword ptr fs:[00000030h]		7_2_0475C577
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475C577 mov eax, dword ptr fs:[00000030h]		7_2_0475C577
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473C962 mov eax, dword ptr fs:[00000030h]		7_2_0473C962
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04757D50 mov eax, dword ptr fs:[00000030h]		7_2_04757D50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_048005AC mov eax, dword ptr fs:[00000030h]		7_2_048005AC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_048005AC mov eax, dword ptr fs:[00000030h]		7_2_048005AC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475B944 mov eax, dword ptr fs:[00000030h]		7_2_0475B944
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475B944 mov eax, dword ptr fs:[00000030h]		7_2_0475B944
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04773D43 mov eax, dword ptr fs:[00000030h]		7_2_04773D43
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B3540 mov eax, dword ptr fs:[00000030h]		7_2_047B3540
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]		7_2_04743D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473AD30 mov eax, dword ptr fs:[00000030h]		7_2_0473AD30
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476513A mov eax, dword ptr fs:[00000030h]		7_2_0476513A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476513A mov eax, dword ptr fs:[00000030h]		7_2_0476513A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047BA537 mov eax, dword ptr fs:[00000030h]		7_2_047BA537
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]		7_2_04764D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]		7_2_04764D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]		7_2_04764D3B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04754120 mov ecx, dword ptr fs:[00000030h]		7_2_04754120
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]		7_2_04739100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]		7_2_04739100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]		7_2_04739100
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047E8DF1 mov eax, dword ptr fs:[00000030h]		7_2_047E8DF1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0473B1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0473B1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]		7_2_0473B1E1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047C41E8 mov eax, dword ptr fs:[00000030h]		7_2_047C41E8
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0474D5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474D5E0 mov eax, dword ptr fs:[00000030h]		7_2_0474D5E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]		7_2_047FFDE2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]		7_2_047FFDE2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]		7_2_047FFDE2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]		7_2_047FFDE2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]		7_2_047B6DC9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808D34 mov eax, dword ptr fs:[00000030h]		7_2_04808D34
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]		7_2_04761DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]		7_2_04761DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]		7_2_04761DB5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]		7_2_047B51BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]		7_2_047B51BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]		7_2_047B51BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]		7_2_047B51BE
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047661A0 mov eax, dword ptr fs:[00000030h]		7_2_047661A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047661A0 mov eax, dword ptr fs:[00000030h]		7_2_047661A0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047635A1 mov eax, dword ptr fs:[00000030h]		7_2_047635A1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B69A6 mov eax, dword ptr fs:[00000030h]		7_2_047B69A6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762990 mov eax, dword ptr fs:[00000030h]		7_2_04762990
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476FD9B mov eax, dword ptr fs:[00000030h]		7_2_0476FD9B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476FD9B mov eax, dword ptr fs:[00000030h]		7_2_0476FD9B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A185 mov eax, dword ptr fs:[00000030h]		7_2_0476A185
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475C182 mov eax, dword ptr fs:[00000030h]		7_2_0475C182
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]		7_2_04762581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]		7_2_04762581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]		7_2_04762581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]		7_2_04762581
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]		7_2_04732D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]		7_2_04732D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]		7_2_04732D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]		7_2_04732D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]		7_2_04732D8A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]		7_2_0475AE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]		7_2_0475AE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]		7_2_0475AE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]		7_2_0475AE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]		7_2_0475AE73
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0477927A mov eax, dword ptr fs:[00000030h]		7_2_0477927A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474766D mov eax, dword ptr fs:[00000030h]		7_2_0474766D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047EB260 mov eax, dword ptr fs:[00000030h]		7_2_047EB260
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047EB260 mov eax, dword ptr fs:[00000030h]		7_2_047EB260
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]		7_2_04800EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]		7_2_04800EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]		7_2_04800EA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FEA55 mov eax, dword ptr fs:[00000030h]		7_2_047FEA55
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047C4257 mov eax, dword ptr fs:[00000030h]		7_2_047C4257
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]		7_2_04739240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]		7_2_04739240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]		7_2_04739240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]		7_2_04739240
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]		7_2_04747E41
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FAE44 mov eax, dword ptr fs:[00000030h]		7_2_047FAE44
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047FAE44 mov eax, dword ptr fs:[00000030h]		7_2_047FAE44
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047EFE3F mov eax, dword ptr fs:[00000030h]		7_2_047EFE3F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473E620 mov eax, dword ptr fs:[00000030h]		7_2_0473E620
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808ED6 mov eax, dword ptr fs:[00000030h]		7_2_04808ED6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04774A2C mov eax, dword ptr fs:[00000030h]		7_2_04774A2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04774A2C mov eax, dword ptr fs:[00000030h]		7_2_04774A2C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]		7_2_04735210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04735210 mov ecx, dword ptr fs:[00000030h]		7_2_04735210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]		7_2_04735210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]		7_2_04735210
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473AA16 mov eax, dword ptr fs:[00000030h]		7_2_0473AA16
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473AA16 mov eax, dword ptr fs:[00000030h]		7_2_0473AA16
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04753A1C mov eax, dword ptr fs:[00000030h]		7_2_04753A1C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A61C mov eax, dword ptr fs:[00000030h]		7_2_0476A61C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A61C mov eax, dword ptr fs:[00000030h]		7_2_0476A61C
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]		7_2_0473C600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]		7_2_0473C600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]		7_2_0473C600
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04768E00 mov eax, dword ptr fs:[00000030h]		7_2_04768E00
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F1608 mov eax, dword ptr fs:[00000030h]		7_2_047F1608
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04748A0A mov eax, dword ptr fs:[00000030h]		7_2_04748A0A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762AE4 mov eax, dword ptr fs:[00000030h]		7_2_04762AE4
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047616E0 mov ecx, dword ptr fs:[00000030h]		7_2_047616E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047476E2 mov eax, dword ptr fs:[00000030h]		7_2_047476E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04778EC7 mov eax, dword ptr fs:[00000030h]		7_2_04778EC7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047636CC mov eax, dword ptr fs:[00000030h]		7_2_047636CC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762ACB mov eax, dword ptr fs:[00000030h]		7_2_04762ACB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047EFEC0 mov eax, dword ptr fs:[00000030h]		7_2_047EFEC0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0474AAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474AAB0 mov eax, dword ptr fs:[00000030h]		7_2_0474AAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476FAB0 mov eax, dword ptr fs:[00000030h]		7_2_0476FAB0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]		7_2_047352A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]		7_2_047352A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]		7_2_047352A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]		7_2_047352A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]		7_2_047352A5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B46A7 mov eax, dword ptr fs:[00000030h]		7_2_047B46A7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476D294 mov eax, dword ptr fs:[00000030h]		7_2_0476D294
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476D294 mov eax, dword ptr fs:[00000030h]		7_2_0476D294
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808A62 mov eax, dword ptr fs:[00000030h]		7_2_04808A62
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CFE87 mov eax, dword ptr fs:[00000030h]		7_2_047CFE87
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04763B7A mov eax, dword ptr fs:[00000030h]		7_2_04763B7A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04763B7A mov eax, dword ptr fs:[00000030h]		7_2_04763B7A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473DB60 mov ecx, dword ptr fs:[00000030h]		7_2_0473DB60
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474FF60 mov eax, dword ptr fs:[00000030h]		7_2_0474FF60
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04805BA5 mov eax, dword ptr fs:[00000030h]		7_2_04805BA5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473F358 mov eax, dword ptr fs:[00000030h]		7_2_0473F358
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0473DB40 mov eax, dword ptr fs:[00000030h]		7_2_0473DB40
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0474EF40 mov eax, dword ptr fs:[00000030h]		7_2_0474EF40
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476E730 mov eax, dword ptr fs:[00000030h]		7_2_0476E730
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04734F2E mov eax, dword ptr fs:[00000030h]		7_2_04734F2E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04734F2E mov eax, dword ptr fs:[00000030h]		7_2_04734F2E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475F716 mov eax, dword ptr fs:[00000030h]		7_2_0475F716
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F131B mov eax, dword ptr fs:[00000030h]		7_2_047F131B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CFF10 mov eax, dword ptr fs:[00000030h]		7_2_047CFF10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047CFF10 mov eax, dword ptr fs:[00000030h]		7_2_047CFF10
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A70E mov eax, dword ptr fs:[00000030h]		7_2_0476A70E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476A70E mov eax, dword ptr fs:[00000030h]		7_2_0476A70E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047737F5 mov eax, dword ptr fs:[00000030h]		7_2_047737F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0480070D mov eax, dword ptr fs:[00000030h]		7_2_0480070D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0480070D mov eax, dword ptr fs:[00000030h]		7_2_0480070D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]		7_2_047603E2
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0475DBE9 mov eax, dword ptr fs:[00000030h]		7_2_0475DBE9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B53CA mov eax, dword ptr fs:[00000030h]		7_2_047B53CA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B53CA mov eax, dword ptr fs:[00000030h]		7_2_047B53CA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808B58 mov eax, dword ptr fs:[00000030h]		7_2_04808B58
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]		7_2_04764BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]		7_2_04764BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]		7_2_04764BAD
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04748794 mov eax, dword ptr fs:[00000030h]		7_2_04748794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04762397 mov eax, dword ptr fs:[00000030h]		7_2_04762397
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_0476B390 mov eax, dword ptr fs:[00000030h]		7_2_0476B390
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04808F6A mov eax, dword ptr fs:[00000030h]		7_2_04808F6A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]		7_2_047B7794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]		7_2_047B7794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]		7_2_047B7794
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047F138A mov eax, dword ptr fs:[00000030h]		7_2_047F138A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04741B8F mov eax, dword ptr fs:[00000030h]		7_2_04741B8F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_04741B8F mov eax, dword ptr fs:[00000030h]		7_2_04741B8F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 7_2_047ED380 mov ecx, dword ptr fs:[00000030h]		7_2_047ED380

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\logagent.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 7_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,

7_2_04779860

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1D0000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 1E0000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 410000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 420000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 430000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 440000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 450000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 460000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 725B0000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 470000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 6B0000			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 725B0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 1D0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 1E0000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 410000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 420000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 430000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 440000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 450000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 460000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 470000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 6B0000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

Memory written: C:\Windows\SysWOW64\logagent.exe base: 725B0000 value starts with: 4D5A

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 1D0000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 420000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 460000			Jump to behavior
Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 6B0000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe

Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.11.dr, Amcache.hve.LOG1.11.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr, Amcache.hve.LOG1.11.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY