Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report FedEx TRACKING DETAILS.exe

Overview

General Information

Sample Name:FedEx TRACKING DETAILS.exe
Analysis ID:532861
MD5:32414d4cae15c3a8063bf1251346533c
SHA1:3e92cca40b5b3bde11265ea773e77e0cd2432f96
SHA256:d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
Tags:exeFedExFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • FedEx TRACKING DETAILS.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe" MD5: 32414D4CAE15C3A8063BF1251346533C)
    • logagent.exe (PID: 3144 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • WerFault.exe (PID: 4848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hdetpnipa.xyz/a34b/"], "decoy": ["mesonarte.com", "eksiwakun9.xyz", "dustcollectionconsultant.com", "heliosarchitecture.com", "chinaanalysisgroup.com", "nimbinhillshemp.com", "ychain.biz", "mountshastaart.com", "monstermangoloco.com", "bodhiandbear.com", "rootednft.xyz", "metayema.com", "zw21.xyz", "criccketworld.com", "segurobarato.net", "ananyacap.com", "momo-momo.xyz", "ezrealestatedeals.com", "ghrde.xyz", "idimol.com", "pcthspoe.xyz", "thewhiteswanharringworth.com", "che8760.com", "85111280.xyz", "apteka-magnolia.com", "proach.online", "portfolioabeckford.com", "affilinvest.com", "subspank.xyz", "odessamadrecoffeehouse.com", "onetrade.biz", "tianfuhg.com", "kibtitalikeniwenti.com", "terriblearttours.com", "saudirelief.com", "metacourting.xyz", "kimera.blue", "mgpsfm.com", "metawzrd.com", "veahhiodl.xyz", "alimasurfhotel.com", "sirensandiego.com", "gd-hxgg.com", "aurorarift.com", "clingbee.com", "zettavisor2021.xyz", "gregoryryankramer.art", "robertsonfandc.com", "sociedadgeograficacafe.com", "emilyhkeefer.com", "v-hush.com", "judithtuttle.xyz", "itbrandlink.com", "carrybicycles.com", "storge-evolution.com", "socnhhpa.xyz", "victorzark.com", "ghettoguy.com", "redtruckguy.com", "jeanmariewallendorf.com", "ocpdtel.xyz", "democracies.online", "bw529twonineh5.world", "chinhdohuyenthoai.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xb34c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xb5c6:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x170f9:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16be5:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x171fb:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x17373:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbfde:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x15e60:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xccd7:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1d36b:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1e36e:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1a28d:$sqlite3step: 68 34 1C 7B E1
    • 0x1a3a0:$sqlite3step: 68 34 1C 7B E1
    • 0x1a2bc:$sqlite3text: 68 38 2A 90 C5
    • 0x1a3e1:$sqlite3text: 68 38 2A 90 C5
    • 0x1a2cf:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1a3f7:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.logagent.exe.725b0000.11.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.logagent.exe.725b0000.11.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0xa74c:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xa9c6:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x164f9:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15fe5:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x165fb:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x16773:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb3de:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x15260:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xc0d7:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1c76b:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1d76e:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.logagent.exe.725b0000.11.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x1968d:$sqlite3step: 68 34 1C 7B E1
        • 0x197a0:$sqlite3step: 68 34 1C 7B E1
        • 0x196bc:$sqlite3text: 68 38 2A 90 C5
        • 0x197e1:$sqlite3text: 68 38 2A 90 C5
        • 0x196cf:$sqlite3blob: 68 53 D8 7F 8C
        • 0x197f7:$sqlite3blob: 68 53 D8 7F 8C
        7.0.logagent.exe.6c0000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.logagent.exe.6c0000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 43 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hdetpnipa.xyz/a34b/"], "decoy": ["mesonarte.com", "eksiwakun9.xyz", "dustcollectionconsultant.com", "heliosarchitecture.com", "chinaanalysisgroup.com", "nimbinhillshemp.com", "ychain.biz", "mountshastaart.com", "monstermangoloco.com", "bodhiandbear.com", "rootednft.xyz", "metayema.com", "zw21.xyz", "criccketworld.com", "segurobarato.net", "ananyacap.com", "momo-momo.xyz", "ezrealestatedeals.com", "ghrde.xyz", "idimol.com", "pcthspoe.xyz", "thewhiteswanharringworth.com", "che8760.com", "85111280.xyz", "apteka-magnolia.com", "proach.online", "portfolioabeckford.com", "affilinvest.com", "subspank.xyz", "odessamadrecoffeehouse.com", "onetrade.biz", "tianfuhg.com", "kibtitalikeniwenti.com", "terriblearttours.com", "saudirelief.com", "metacourting.xyz", "kimera.blue", "mgpsfm.com", "metawzrd.com", "veahhiodl.xyz", "alimasurfhotel.com", "sirensandiego.com", "gd-hxgg.com", "aurorarift.com", "clingbee.com", "zettavisor2021.xyz", "gregoryryankramer.art", "robertsonfandc.com", "sociedadgeograficacafe.com", "emilyhkeefer.com", "v-hush.com", "judithtuttle.xyz", "itbrandlink.com", "carrybicycles.com", "storge-evolution.com", "socnhhpa.xyz", "victorzark.com", "ghettoguy.com", "redtruckguy.com", "jeanmariewallendorf.com", "ocpdtel.xyz", "democracies.online", "bw529twonineh5.world", "chinhdohuyenthoai.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: FedEx TRACKING DETAILS.exeVirustotal: Detection: 36%Perma Link
          Source: FedEx TRACKING DETAILS.exeReversingLabs: Detection: 51%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.hdetpnipa.xyz/a34b/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.hdetpnipa.xyz/a34b/Virustotal: Detection: 9%Perma Link
          Machine Learning detection for sampleShow sources
          Source: FedEx TRACKING DETAILS.exeJoe Sandbox ML: detected
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1534.338.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.291.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1914.140.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0fb8.93.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c975c.64.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c95f8.303.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1104.107.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd434.350.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de008.143.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c53cc.145.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd954.118.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d4014.184.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d858c.229.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb8c4.81.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1c44.353.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1348.39.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c45dc.85.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.11.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de3c4.151.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6ecc.218.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1104.108.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d421c.193.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4008.14.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd3f0.111.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb8c4.79.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d2eac.171.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d4014.182.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e2180.55.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0fb8.90.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e74.106.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5504.154.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d91b4.253.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.6c0000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e4008.202.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e0fb8.321.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ca2bc.309.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9ca8.51.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9494.258.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e130c.333.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9ca8.54.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd43c.356.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c0fd0.47.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d2c04.162.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cc0b4.22.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26db95c.311.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c527c.138.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e70.99.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c11a0.61.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de3c4.148.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de758.159.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ca1c8.15.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c93bc.50.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd3f4.7.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d3840.84.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ad4.238.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e4008.200.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dffc8.172.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9434.285.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de758.156.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2104.74.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dddf4.126.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d39ac.179.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dffc8.170.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd3f4.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e10e4.331.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb5dc.77.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ccd98.322.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1804.49.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cc5dc.318.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.298.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d4160.25.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1914.139.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d421c.191.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.297.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1d94.192.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1804.52.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9e2c.299.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6d44.214.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9128.40.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1bb4.149.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9434.287.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd440.354.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c92b0.267.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e0008.319.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c11a0.60.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd3f0.109.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d2eac.168.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9c84.286.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c93bc.48.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.logagent.exe.725b0000.3.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c51a0.121.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d36c4.175.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d149c.117.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb6b8.20.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5040.115.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ca2bc.310.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9acc.275.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9c84.289.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e0008.317.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1d94.195.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6ecc.217.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ed4.245.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26da3b4.68.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd1a0.340.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ddef4.132.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e0fb8.323.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26bee4c.18.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd954.116.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9128.38.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c0cf0.33.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dc210.28.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d18b4.131.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cc5dc.316.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d18b4.133.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5288.17.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ccd98.320.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd08c.337.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d68d4.204.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd2b4.345.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d77e8.11.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1534.339.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ca1c8.16.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cfffc.313.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6cd0.209.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1d74.66.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb6b8.21.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1094.327.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.0.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1348.41.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4d98.91.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d7438.222.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.2.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e3840.314.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1094.325.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd2dc.102.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.7.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1e24.155.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cc0b4.24.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9b24.283.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c0fd0.46.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6cd0.210.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26bc0d0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c51a0.122.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2ff0.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5278.130.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9dd4.295.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1c44.355.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26bdfc0.13.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9b24.281.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d858c.230.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c527c.137.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5288.19.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd2b4.344.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1ad8.187.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e3840.315.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c95f8.305.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9508.293.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c6618.181.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d99e8.268.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ccf78.332.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dc210.26.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c45dc.86.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c53cc.147.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd43c.358.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d6d44.212.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0008.87.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c903c.255.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cce68.324.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c6178.173.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e1ad8.185.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2278.78.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd1a0.342.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e70.97.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26da00c.304.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d68d4.206.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0008.88.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26bde24.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e130c.335.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26de008.141.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd2dc.101.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.273.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c0cf0.32.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4008.12.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4d98.89.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c975c.62.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d52a4.201.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c91ac.261.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d77e8.9.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c92b0.269.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd1dc.95.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d7438.220.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ad4.237.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dfbf8.166.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d17c8.124.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd440.352.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9494.256.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dfbf8.164.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cb5dc.75.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8008.224.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dddf4.125.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c6178.174.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2104.76.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1d74.63.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c91ac.262.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2278.80.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.3.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d36c4.176.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.725b0000.1.unpackAvira: Label: TR/Crypt.Morphine.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ccf78.334.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8ed4.246.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d39ac.180.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c2ff0.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26dd1dc.92.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e175c.341.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.274.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.279.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9acc.277.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e10e4.329.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.0.logagent.exe.6c0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d2c04.165.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c4e74.105.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0f64.36.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d8008.226.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1e24.157.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9e2c.301.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d3840.83.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d99e8.270.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d9dd4.292.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e2180.53.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d1bb4.146.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d52a4.198.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5278.129.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5504.153.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d17c8.123.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd08c.336.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cce68.326.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d4160.23.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c903c.257.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26db95c.312.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c5040.113.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d0f64.37.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26ddef4.134.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26cd434.348.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d149c.114.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26da00c.307.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.logagent.exe.6c0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26e175c.343.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26da3b4.65.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c9384.280.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26d91b4.250.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.3.FedEx TRACKING DETAILS.exe.26c6618.183.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: FedEx TRACKING DETAILS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: Binary string: wininet.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.377390699.000000000543C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377407261.000000000543D000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wwin32u.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.392961331.00000000032F2000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: logagent.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wsock32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hdetpnipa.xyz/a34b/
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312773374.00000000007F8000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.309668822.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: WerFault.exe, 0000000B.00000002.393477883.0000000005410000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmpString found in binary or memory: https://3eie8a.sn.files.1drv.com/
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312773374.00000000007F8000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.309668822.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpString found in binary or memory: https://3eie8a.sn.files.1drv.com/C
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312794774.0000000000832000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpString found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mPZtA9xPxqg1XkAX9-qUmR9UIvDv4jsOqvEGGW7e_sHrucIbMm3Gtnd2oRX03KcuO
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmpString found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mTGtN2XEyFxr4Fwg2GfGDYA-weizJsEgCfvnFlKm_xwhWQiYk4SVd3YN1FLBVj9kD
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpString found in binary or memory: https://3eie8a.sn.files.1drv.com/y4mwmaWo75uzUwtwpwSnt0PfQZClqYm-BqTi81xEEYBIo3hzrTU99nIAl5l4jRjpvu3
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.312794774.0000000000832000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/B&resid=C34B41C1B35825CB%21140&authkey=AN9sEgEIgUt16GA
          Source: FedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=C34B41C1B35825CB&resid=C34B41C1B35825CB%21140&authkey=AN9sEgE
          Source: unknownDNS traffic detected: queries for: onedrive.live.com

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: FedEx TRACKING DETAILS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_048020A8
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474841F
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1002
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474B090
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04730D20
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473F900
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04802D07
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474D5E0
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04801D55
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762581
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_048022AE
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04756E30
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04802EF7
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04801FF1
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04802B28
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FDBD2
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476EBB0
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 0473B150 appears 35 times
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779840 NtDelayExecution,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779560 NtWriteFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779540 NtReadFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779910 NtAdjustPrivilegesToken,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047795D0 NtClose,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047799A0 NtCreateSection,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779A50 NtCreateFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047796D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779710 NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779FE0 NtCreateMutant,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779780 NtMapViewOfSection,
          Source: FedEx TRACKING DETAILS.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeSection loaded: amsiproxy.dll
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeSection loaded: amsiproxy.dll
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725B0000 page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725B0000 page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725B0000 page no access
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725B0000 page read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725B1000 page read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: 725E0000 page read and write
          Source: FedEx TRACKING DETAILS.exeVirustotal: Detection: 36%
          Source: FedEx TRACKING DETAILS.exeReversingLabs: Detection: 51%
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeFile read: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeJump to behavior
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe "C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe"
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Windows\SysWOW64\logagent.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Ipknvfrclgulizdtylbxizfhvowtamb[1]Jump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC41.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@2/0
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: wininet.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.377390699.000000000543C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.377407261.000000000543D000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000007.00000000.369531996.0000000004710000.00000040.00000001.sdmp, logagent.exe, 00000007.00000000.369661210.000000000482F000.00000040.00000001.sdmp, WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wwin32u.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.392961331.00000000032F2000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: Binary string: logagent.pdb source: WerFault.exe, 0000000B.00000003.381177211.0000000005781000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.381205503.0000000005900000.00000004.00000040.sdmp
          Source: Binary string: wsock32.pdb source: WerFault.exe, 0000000B.00000003.381217300.0000000005907000.00000004.00000040.sdmp
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeCode function: 1_3_02641752 push edx; ret
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0478D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 00000000006C9904 second address: 00000000006C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 00000000006C9B7E second address: 00000000006C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04776DE6 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeProcess information queried: ProcessInformation
          Source: Amcache.hve.11.drBinary or memory string: VMware
          Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: Amcache.hve.11.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
          Source: WerFault.exe, 0000000B.00000002.393404168.00000000053F0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWx!B
          Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
          Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.11.drBinary or memory string: VMware7,1
          Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: WerFault.exe, 0000000B.00000003.390796145.000000000540E000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.393477883.0000000005410000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.me
          Source: Amcache.hve.11.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
          Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04776DE6 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04750050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0480740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04804015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04801074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04757D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_048005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04773D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04743D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04754120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04761DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04732D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0477927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04800EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04739240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04747E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04774A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04735210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04735210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04753A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04768E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04748A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04778EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04763B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04805BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0473DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0474EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04734F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0480070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0480070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0475DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04764BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04748794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04762397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_0476B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04808F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04741B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04741B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_047ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\logagent.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\logagent.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 7_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 1D0000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 1E0000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 400000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 410000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 420000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 430000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 440000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 450000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 460000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 725B0000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 470000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 6B0000
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 725B0000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 1D0000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 1E0000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 410000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 420000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 430000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 440000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 450000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 460000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 470000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 6B0000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 725B0000 value starts with: 4D5A
          Creates a thread in another existing process (thread injection)Show sources
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 1D0000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 420000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 460000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 6B0000
          Source: C:\Users\user\Desktop\FedEx TRACKING DETAILS.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: logagent.exe, 00000007.00000000.357556724.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.346735402.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.349786949.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.358833612.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.353821559.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.356544338.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360094924.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.348754041.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.347969273.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352141401.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.355535580.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.369480515.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.372477132.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.360963079.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.351047702.0000000003300000.00000002.00020000.sdmp, logagent.exe, 00000007.00000000.352912159.0000000003300000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: Amcache.hve.11.dr, Amcache.hve.LOG1.11.drBinary or memory string: c:\users\user\desktop\procexp.exe
          Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.11.dr, Amcache.hve.LOG1.11.drBinary or memory string: procexp.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.725b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.725b0000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.logagent.exe.6c0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.logagent.exe.6c0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection412Masquerading1OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          FedEx TRACKING DETAILS.exe36%VirustotalBrowse
          FedEx TRACKING DETAILS.exe52%ReversingLabsWin32.Backdoor.Androm
          FedEx TRACKING DETAILS.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.3.FedEx TRACKING DETAILS.exe.26e1534.338.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c9508.291.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d1914.140.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d0fb8.93.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c975c.64.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c95f8.303.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d1104.107.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26f189c.44.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d25fc.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cd434.350.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26de008.143.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c53cc.145.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dd954.118.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cce64.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d4014.184.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c7cb8.211.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d858c.229.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c5d74.167.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cb8c4.81.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e1c44.353.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e1348.39.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c62e4.178.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c45dc.85.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c88e4.227.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          7.0.logagent.exe.725b0000.11.unpack100%AviraTR/Crypt.Morphine.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26de3c4.151.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c6f60.197.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c88e0.231.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d6ecc.218.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8b88.236.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d1104.108.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8dfc.35.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8b84.239.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d421c.193.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e9e68.119.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c4008.14.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dd3f0.111.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cb8c4.79.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d2eac.171.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c7d7c.216.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d4014.182.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e2180.55.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d0fb8.90.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8ecc.251.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26f4008.71.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ea4f8.290.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c4e74.106.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c5504.154.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8b84.241.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26eaa28.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d91b4.253.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.0.logagent.exe.6c0000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e4008.202.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e0fb8.321.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e42c4.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ca2bc.309.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d9ca8.51.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d9494.258.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d25fc.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e130c.333.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d9ca8.54.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c8b88.235.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e1c2c.351.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cd43c.356.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e90a8.247.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c0fd0.47.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26f0008.196.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e42c4.30.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d2c04.162.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cc0b4.22.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d9774.263.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26db95c.311.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c527c.138.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c4e70.99.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c11a0.61.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26de3c4.148.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26de758.159.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ca1c8.15.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c93bc.50.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cd3f4.7.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dbffc.242.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d3840.84.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d8ad4.238.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e4008.200.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dffc8.172.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e9518.104.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26f0008.194.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c9434.285.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26de758.156.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26c2104.74.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dddf4.126.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26d39ac.179.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dffc8.170.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cd3f4.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ef590.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ec37c.31.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26e10e4.331.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26cb5dc.77.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26dbffc.240.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.3.FedEx TRACKING DETAILS.exe.26ea68c.58.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.hdetpnipa.xyz/a34b/10%VirustotalBrowse
          www.hdetpnipa.xyz/a34b/100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          onedrive.live.com
          		unknown
          		unknownfalse
            		high
            3eie8a.sn.files.1drv.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.hdetpnipa.xyz/a34b/true
              • 10%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://3eie8a.sn.files.1drv.com/y4mTGtN2XEyFxr4Fwg2GfGDYA-weizJsEgCfvnFlKm_xwhWQiYk4SVd3YN1FLBVj9kDFedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmpfalse
                		high
                https://onedrive.live.com/B&resid=C34B41C1B35825CB%21140&authkey=AN9sEgEIgUt16GAFedEx TRACKING DETAILS.exe, 00000001.00000003.312794774.0000000000832000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmpfalse
                  		high
                  http://upx.sf.netAmcache.hve.11.drfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2004/09/policyWerFault.exe, 0000000B.00000002.393477883.0000000005410000.00000004.00000001.sdmpfalse
                      		high
                      https://onedrive.live.com/download?cid=C34B41C1B35825CB&resid=C34B41C1B35825CB%21140&authkey=AN9sEgEFedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmpfalse
                        		high
                        https://3eie8a.sn.files.1drv.com/y4mwmaWo75uzUwtwpwSnt0PfQZClqYm-BqTi81xEEYBIo3hzrTU99nIAl5l4jRjpvu3FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpfalse
                          		high
                          https://3eie8a.sn.files.1drv.com/FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310664901.0000000000832000.00000004.00000001.sdmpfalse
                            		high
                            https://3eie8a.sn.files.1drv.com/CFedEx TRACKING DETAILS.exe, 00000001.00000003.312773374.00000000007F8000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.309668822.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.311676556.00000000007FF000.00000004.00000001.sdmp, FedEx TRACKING DETAILS.exe, 00000001.00000003.310643764.00000000007FF000.00000004.00000001.sdmpfalse
                              		high
                              https://onedrive.live.com/FedEx TRACKING DETAILS.exe, 00000001.00000003.311710977.0000000000832000.00000004.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:532861
                                Start date:02.12.2021
                                Start time:19:01:11
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 8m 52s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:FedEx TRACKING DETAILS.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:22
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@4/7@2/0
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 100% (good quality ratio 86.3%)
                                • Quality average: 71.1%
                                • Quality standard deviation: 33.9%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12, 52.168.117.173
                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, onedsblobprdeus16.eastus.cloudapp.azure.com, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                19:02:16API Interceptor1x Sleep call for process: FedEx TRACKING DETAILS.exe modified
                                19:02:55API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_logagent.exe_131232484c36b2f738ed9f8bca70746a5db0df_0357e9de_121e11bd\Report.wer
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.7680010292392891
                                Encrypted:false
                                SSDEEP:96:CzpFyTUlstcneIb6oI7JfapXIQcQvc6QcEDMcw3DSDq+HbHgoC5AJkq+h88WpB8B:E5itcnDHBUZMXojFq/u7smS274ItQT
                                MD5:419C342E2FF1D66525019CF8A7412F8A
                                SHA1:2160A039CE1626B5C19985EDC43001DB18E3FA16
                                SHA-256:CC9EF71255F0687FE00477DF292D7AD7A1EAE6DC7AB73CA1EA3BB0C8A5D47F52
                                SHA-512:15D0C391C989975E35D065A76EFBD137EA2E1BF9CD7D73D5A5EF3D8E9B1B6CD4366993ACC51D55733544F0E4D35E84C6C40542E86AFD411B83BFEC8C6DD088B2
                                Malicious:false
                                Reputation:low
                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.7.4.1.6.9.8.1.9.9.7.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.7.4.1.7.3.8.8.2.4.5.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.1.2.7.f.d.4.-.7.f.d.a.-.4.d.3.8.-.9.1.f.9.-.9.4.c.2.9.5.0.c.b.3.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.e.e.5.a.1.6.-.f.b.0.4.-.4.e.a.9.-.9.2.d.a.-.e.0.8.2.3.a.8.6.f.8.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.g.a.g.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.g.a.g.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.4.8.-.0.0.0.1.-.0.0.1.c.-.c.e.f.5.-.3.2.3.7.f.2.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.8.d.c.4.a.2.6.c.e.8.7.e.b.d.d.a.8.2.4.7.e.4.2.b.1.5.6.c.a.9.b.4.c.0.b.a.
                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER124.tmp.WERInternalMetadata.xml
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8310
                                Entropy (8bit):3.695731414622114
                                Encrypted:false
                                SSDEEP:192:Rrl7r3GLNiOG6mqUm6YLM6+PgmfcLSaCprh89b2hsfo0Sm:RrlsNiX6NUm6YQ6Ggmf4Ss2afN
                                MD5:063F7D56170385E625802CC652610447
                                SHA1:0DC00C5627088CEB143EA2B7CFC1E9360E03353C
                                SHA-256:3F12E53652B361A6A37801A732FEAFA0B4AE1BEE74BDA54AF1A2DC0327E9DDCD
                                SHA-512:CE1BD71C0AED946C6CC27BF237053D6ADC383612DBC7C0D3C0370195DEB4F4929DB11A62AF904797D1FD5BACF5690BE30C15A7AAA706531AC9267AD07AA1D368
                                Malicious:false
                                Reputation:low
                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.4.4.<./.P.i.d.>.......
                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AF.tmp.xml
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4670
                                Entropy (8bit):4.476819952907959
                                Encrypted:false
                                SSDEEP:48:cvIwSD8zsvJgtWI90aWSC8BS8fm8M4JemfZFmj+q86Gvx7Fcfrmrd:uITfRfbSNBJnyjox7Furmrd
                                MD5:336F69F3EC0897593738A0A982C59B9A
                                SHA1:76CED5ACBC0EC8D632735F57BCBB5B176717A888
                                SHA-256:2DDA1DF2C6660E634F389EBC8F503484B9AF03A59D1009B4C52F2908DC75222B
                                SHA-512:7D83AB3B3BAA5E6A9E77A3EFF41138907BFB850A078E09539625E2251E06E583C098693DA3205004010939A913CA0EF80974351802546FFC7068CDEF066570A7
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280893" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC41.tmp.dmp
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Fri Dec 3 03:02:50 2021, 0x1205a4 type
                                Category:dropped
                                Size (bytes):47606
                                Entropy (8bit):1.7988139734386561
                                Encrypted:false
                                SSDEEP:192:5GuBz473Be7zOWQ2ybM/ifHXsmao+2cf9YUni:E73B8qWQUivXsgcW
                                MD5:5B0A9E1019955F0C1E419FAB47D191AE
                                SHA1:B9C8571135C1A6A59BFC86323B6608C00F2F34AB
                                SHA-256:45461A2551690183BD56F18FE4A1D8F2A3716D2B5CDBD49097EDD5AC9070A2EF
                                SHA-512:8157CC2E4302FEB4729EDFB46DB854FAE2003CF80EC22FB469DD0866119811256A2B55D4BBB0598521792F464C443C263CA875D104DE1979C4E7A225309B2731
                                Malicious:false
                                Reputation:low
                                Preview: MDMP....... .........a........................$...........$...*%..........T.......8...........T...............^............................................................................................U...........B......t.......GenuineIntelW...........T.......H.....a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Ipknvfrclgulizdtylbxizfhvowtamb[1]
                                Process:C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):304640
                                Entropy (8bit):7.998000849555144
                                Encrypted:true
                                SSDEEP:6144:K728FG5e8FW+j7HoyEHTmcCknu7yB2A7X37dcVhPsBZ6Q/cnb1kTpm+BxOn:/1e8FW+j7Irqxkn+9AL37dokBZ6Tnb1p
                                MD5:C4357B267D515956EA1CB9AED8413834
                                SHA1:7DD659D3772D23142E9040D32057095A37123437
                                SHA-256:D75F7B2470A35DFCE5AD17422908FD0C085776F3D252C4CAA855DFABF1136984
                                SHA-512:51F9D250C71573E6C5CFCE0ADA38F04FE358FC64FB8EF417481BD90CC5D768F30DE418B08E4BDB5FEE955E80A21920B168643626FA30A86EA53B0A1CCCC74479
                                Malicious:false
                                Reputation:low
                                Preview: ...,y...Z.\..S....)....x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C.l.cK......Z......#......NBe_I./...Q....Y^.{:...6..=....t.....!.Dp...%.J."Y^.{:...6..=....t.....!.Dp...%.J..L>*x.%..-..p.}L9..`.@aV.US.iWgz.&J..L>*x.%..-..p.}L9..`.@aV.US.iWgz.&J..L>*x.%..-..p.}L9..`.@aV.US.iWgz.&J+R.Y.|..E3Zu.4.UjTx/V}.U...e.|.E,..>.&.lTx-D.]...5N...C4..nXw..3M.Z.....>./....X6.....drm..~Y.;....u.\)"...-b.W...~\....k.i.......*.i..E<...>..]...[..$.a.s...~..*.i..E<...>..]...[..$.a.s...~..*.i..E<...>..]...[..$.a.s...~..*.i..E<...>..]...[..$.a.s...Y....L...b".~....I.fK..8.....To....0s.]..........5G....}.......*..x*.'m.}...nY....+c..J...Q..nY.y./V...m..w..u....._..{..>.*.....l@..1Xi.S..\p<..e.(......&.....5A?3G.[.../U..)c.-Zo.5W... ..#v'v5Vx&.v/Q..Zv(..4.\u..i.....6.*.E9?3K.....P..|..6......
                                C:\Windows\appcompat\Programs\Amcache.hve
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1572864
                                Entropy (8bit):4.277492162857272
                                Encrypted:false
                                SSDEEP:12288:15pAHpPpGqxnemhizybkiFOEZlxJw5qJfJa4gDXNTqYMd5LC4UzfYQ:vpAHpPpGqxnemhWT
                                MD5:F5278E8C90C6CD7F46EEAEC5CA6492EF
                                SHA1:1B088B8E770B36A14C898689C615B4FBDE3303F2
                                SHA-256:0E6C371B3907EAD27B65988EC532B2B3C5D3F65CD2D76608BCA039C1F884215D
                                SHA-512:09687E0F4152D0ED322F6D4A40B6155C077FCA5369A95F3EE112B46DA9E12D4FC7D7023647CAC1C4F3E1C8AE85FBA7D8CA3FF283CFB75F59DC8DE3D749CC3233
                                Malicious:false
                                Reputation:low
                                Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>..@.................................................................................................................................................................................................................................................................................................................................................G..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):24576
                                Entropy (8bit):4.02994997432179
                                Encrypted:false
                                SSDEEP:384:I9cs5Rftx1OPJ4X9seFnh7khPBqXeSeq5QMVyi6+/rl4Lk4TZd1DoXznqGUXvu:McaRftx10J4XaeFh7KBqXleq5QMVyi6L
                                MD5:C5C36F93BAF245509167136DFF19024F
                                SHA1:7EECA1040B8962D0DB6EB612A9AD9141DE8E9F5E
                                SHA-256:BC1B85E63C38939BA308CF8C1BC6B7363434358957AC3DAA969A3438AA216C95
                                SHA-512:0CED1208041C041C193F517701CF3FDBB554D352504DB2D5A455B3EF270BEA4DA4F1F5D392B311BE3C8349681A9AE779F073E9F9A61245F7BCDD93BE5DB6C108
                                Malicious:false
                                Reputation:low
                                Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>..@.................................................................................................................................................................................................................................................................................................................................................G..HvLE.^......Y....................{...S>.........0................... ..hbin................p.\..,..........nk,..u.@........ ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..u.@........ ........................... .......Z.......................Root........lf......Root....nk ..u.@.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.715076012164725
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 90.87%
                                • Win32 Executable Borland Delphi 7 (665061/41) 6.04%
                                • Win32 Executable Borland Delphi 6 (262906/60) 2.39%
                                • InstallShield setup (43055/19) 0.39%
                                • Win32 Executable Delphi generic (14689/80) 0.13%
                                File name:FedEx TRACKING DETAILS.exe
                                File size:697856
                                MD5:32414d4cae15c3a8063bf1251346533c
                                SHA1:3e92cca40b5b3bde11265ea773e77e0cd2432f96
                                SHA256:d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
                                SHA512:a1af25aab065a83f5cac7a8ae89e9cae22a4014f2440f954773be0855950bb110aa28187da898b07dc795900d7181b1461541b29767fd45ab0336b3689ac6769
                                SSDEEP:12288:CIEpAb3iVUYfqUe+L7JMlbv7fkgx8BcFcePyaW:CI8G3DYfq9+hMNTMK8Cbm
                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                File Icon

                                Icon Hash:3670910284e2d9b0

                                Static PE Info

                                General

                                Entrypoint:0x45ac10
                                Entrypoint Section:CODE
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                DLL Characteristics:
                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:bbc9c0e1dd018627fbe5726a5fc2ba6c

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                add esp, FFFFFFF0h
                                mov eax, 0045A9B8h
                                call 00007F1524E818C9h
                                nop
                                nop
                                nop
                                nop
                                nop
                                nop
                                mov eax, dword ptr [0045C2ECh]
                                mov eax, dword ptr [eax]
                                call 00007F1524ECD08Bh
                                mov ecx, dword ptr [0045C468h]
                                mov eax, dword ptr [0045C2ECh]
                                mov eax, dword ptr [eax]
                                mov edx, dword ptr [0045A768h]
                                call 00007F1524ECD08Bh
                                mov eax, dword ptr [0045C2ECh]
                                mov eax, dword ptr [eax]
                                call 00007F1524ECD0FFh
                                call 00007F1524E7F536h
                                nop
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5e0000x210a.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x46600.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x630000x636c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x620000x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                CODE0x10000x59c5c0x59e00False0.533007540855data6.54076370728IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                DATA0x5b0000x14800x1600False0.412642045455data3.98462224633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                BSS0x5d0000xda50x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .idata0x5e0000x210a0x2200False0.361443014706data4.94811291969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .tls0x610000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rdata0x620000x180x200False0.05078125data0.199107517787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                .reloc0x630000x636c0x6400False0.6420703125data6.6906267798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                .rsrc0x6a0000x466000x46600False0.417646120115data5.79742330784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_CURSOR0x6b23c0x134data
                                RT_CURSOR0x6b3700x134data
                                RT_CURSOR0x6b4a40x134data
                                RT_CURSOR0x6b5d80x134data
                                RT_CURSOR0x6b70c0x134data
                                RT_CURSOR0x6b8400x134data
                                RT_CURSOR0x6b9740x134data
                                RT_BITMAP0x6baa80x1d0data
                                RT_BITMAP0x6bc780x1e4data
                                RT_BITMAP0x6be5c0x1d0data
                                RT_BITMAP0x6c02c0x1d0data
                                RT_BITMAP0x6c1fc0x1d0data
                                RT_BITMAP0x6c3cc0x1d0data
                                RT_BITMAP0x6c59c0x1d0data
                                RT_BITMAP0x6c76c0x1d0data
                                RT_BITMAP0x6c93c0x1d0data
                                RT_BITMAP0x6cb0c0x1d0data
                                RT_BITMAP0x6ccdc0x128data
                                RT_BITMAP0x6ce040x128data
                                RT_BITMAP0x6cf2c0x128data
                                RT_BITMAP0x6d0540xe8data
                                RT_BITMAP0x6d13c0x128data
                                RT_BITMAP0x6d2640x128data
                                RT_BITMAP0x6d38c0xd0data
                                RT_BITMAP0x6d45c0x128data
                                RT_BITMAP0x6d5840x128data
                                RT_BITMAP0x6d6ac0x128data
                                RT_BITMAP0x6d7d40x128data
                                RT_BITMAP0x6d8fc0x128data
                                RT_BITMAP0x6da240xe8data
                                RT_BITMAP0x6db0c0x128data
                                RT_BITMAP0x6dc340x128data
                                RT_BITMAP0x6dd5c0xd0data
                                RT_BITMAP0x6de2c0x128data
                                RT_BITMAP0x6df540x128data
                                RT_BITMAP0x6e07c0x128data
                                RT_BITMAP0x6e1a40x128data
                                RT_BITMAP0x6e2cc0x128data
                                RT_BITMAP0x6e3f40xe8data
                                RT_BITMAP0x6e4dc0x128data
                                RT_BITMAP0x6e6040x128data
                                RT_BITMAP0x6e72c0xd0data
                                RT_BITMAP0x6e7fc0x128data
                                RT_BITMAP0x6e9240x128data
                                RT_BITMAP0x6ea4c0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_ICON0x6eb340x10a8dataEnglishUnited States
                                RT_ICON0x6fbdc0x25a8dataEnglishUnited States
                                RT_DIALOG0x721840x52data
                                RT_STRING0x721d80x244data
                                RT_STRING0x7241c0x1f0data
                                RT_STRING0x7260c0x1c0data
                                RT_STRING0x727cc0xdcdata
                                RT_STRING0x728a80x2f4data
                                RT_STRING0x72b9c0xdcdata
                                RT_STRING0x72c780x10cdata
                                RT_STRING0x72d840x33cdata
                                RT_STRING0x730c00x3d4data
                                RT_STRING0x734940x3a4data
                                RT_STRING0x738380x3e8data
                                RT_STRING0x73c200xf4data
                                RT_STRING0x73d140xc4data
                                RT_STRING0x73dd80x2c0data
                                RT_STRING0x740980x478data
                                RT_STRING0x745100x3acdata
                                RT_STRING0x748bc0x2d4data
                                RT_RCDATA0x74b900x10data
                                RT_RCDATA0x74ba00x310data
                                RT_RCDATA0x74eb00x3b5a8GIF image data, version 89a, 744 x 119EnglishUnited States
                                RT_GROUP_CURSOR0xb04580x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb046c0x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb04800x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb04940x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb04a80x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb04bc0x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_CURSOR0xb04d00x14Lotus unknown worksheet or configuration, revision 0x1
                                RT_GROUP_ICON0xb04e40x22dataEnglishUnited States

                                Imports

                                DLLImport
                                kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                kernel32.dllSleep
                                oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                ole32.dllCoUninitialize, CoInitialize
                                oleaut32.dllGetErrorInfo, SysFreeString
                                comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                advapi32AuditFree
                                uRLInetIsOffline

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 2, 2021 19:02:17.356704950 CET5213053192.168.2.38.8.8.8
                                Dec 2, 2021 19:02:18.154975891 CET5510253192.168.2.38.8.8.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Dec 2, 2021 19:02:17.356704950 CET192.168.2.38.8.8.80x7a68Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Dec 2, 2021 19:02:18.154975891 CET192.168.2.38.8.8.80x6502Standard query (0)3eie8a.sn.files.1drv.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Dec 2, 2021 19:02:17.374954939 CET8.8.8.8192.168.2.30x7a68No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Dec 2, 2021 19:02:18.199157953 CET8.8.8.8192.168.2.30x6502No error (0)3eie8a.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                Dec 2, 2021 19:02:18.199157953 CET8.8.8.8192.168.2.30x6502No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: FedEx TRACKING DETAILS.exe PID: 6348 Parent PID: 5308

                                General

                                Start time:19:02:08
                                Start date:02/12/2021
                                Path:C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\FedEx TRACKING DETAILS.exe"
                                Imagebase:0x400000
                                File size:697856 bytes
                                MD5 hash:32414D4CAE15C3A8063BF1251346533C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low

                                Analysis Process: logagent.exe PID: 3144 Parent PID: 6348

                                General

                                Start time:19:02:32
                                Start date:02/12/2021
                                Path:C:\Windows\SysWOW64\logagent.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\logagent.exe
                                Imagebase:0x12e0000
                                File size:86016 bytes
                                MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.369906603.00000000725B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.368986547.00000000006C0000.00000040.00000010.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.370945934.00000000006C0000.00000040.00000010.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.400149920.00000000725B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.394673690.00000000006C0000.00000040.00000010.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.372945434.00000000725B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                Analysis Process: WerFault.exe PID: 4848 Parent PID: 3144

                                General

                                Start time:19:02:47
                                Start date:02/12/2021
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 368
                                Imagebase:0x1250000
                                File size:434592 bytes
                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >