Windows Analysis Report
FedEx.com

Overview

General Information

Sample Name: FedEx.com (renamed file extension from com to exe)
Analysis ID: 626183
MD5: 917aa80e03e09b1d2b6619cc62cdbe22
SHA1: 4124f6fa2d81e4f3db5bc62099fe4f03f71f091f
SHA256: 57f4cf106379977932d3ca39bfceb27bf66b55b60465f3a6560d71983709ecea
Tags: exeformbookmodiloaderxloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: FedEx.exe Virustotal: Detection: 31% Perma Link
Source: FedEx.exe ReversingLabs: Detection: 58%
Source: Yara match File source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: C:\Users\Public\Libraries\Rvsuben.exe Virustotal: Detection: 31% Perma Link
Source: C:\Users\Public\Libraries\Rvsuben.exe ReversingLabs: Detection: 58%
Source: 12.3.Rvsuben.exe.39f6370.345.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f8d8.78.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f5e50.321.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897e24.385.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0fe80.401.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38afd50.394.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a14008.465.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a8008.109.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f8008.116.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b0008.412.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fc008.533.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a179c4.504.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a3ae58.567.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ee75c.181.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3894708.312.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0c6f8.346.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f3f4c.282.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ebfec.165.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f6208.325.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b2a78.445.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a177e4.495.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f3f68.288.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39facf8.474.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbf24.520.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a2eae4.457.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef630.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a05ab4.264.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3889914.113.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a226b8.336.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ebfb8.156.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7d50.147.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e8ba8.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a114e4.417.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a46300.318.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a04008.256.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbf78.524.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39eff28.231.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897f88.159.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38af950.376.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b761c.484.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39efd08.226.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e45d4.29.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f8008.117.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e7360.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7f40.403.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a15398.471.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e710.122.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fa6b4.470.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fe80.401.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38afea0.407.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a179c4.502.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f6208.329.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a1d040.574.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3890090.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a1551c.456.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388ff6c.234.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a3ae0c.562.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38af200.362.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b0008.413.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f95ec.461.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef9e0.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbbf4.493.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ce514.466.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f6760.133.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f8270.419.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b79c4.502.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e4ac.557.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e7a60.71.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a07040.272.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ec008.167.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a18008.538.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a07ea0.283.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f5f48.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fc50.388.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ef9e0.81.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f44b4.119.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a04008.254.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a07040.270.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc49c.541.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f86bc.432.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a4008.254.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbea0.511.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b26ac.467.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbea0.510.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7904.361.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f1b0.185.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a2adc4.449.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3899278.414.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f4008.300.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f6ad4.137.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f5e6c.324.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0c6f8.345.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f8b24.439.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.logagent.exe.10410000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.3.FedEx.exe.38a7008.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7ed8.154.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef9e0.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a75d8.276.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f44b4.121.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3892a88.257.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e7360.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f3834.269.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f86bc.433.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e7a60.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38aef64.354.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3894284.304.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897eb4.393.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38d1bf4.318.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f8b40.444.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a1db94.556.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a2adc4.451.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f3ff0.297.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39edc60.49.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff508.197.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a46300.317.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38c27ec.341.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39edc60.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b7658.488.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7cb4.373.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0f620.223.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e7d08.83.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbf04.514.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e4020.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38bfc58.592.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fc3c.220.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a22634.330.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e7c70.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a28b5c.421.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3884314.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff808.209.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f630.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f5e6c.323.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a07ebc.289.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b761c.482.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a5aa00.319.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897c9c.366.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f86b0.431.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b77a8.490.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e4314.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0deb8.360.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ff848.217.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897cdc.381.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a07fc8.293.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fe82c.575.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f89e0.173.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a07008.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3895f48.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39eff28.230.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38af978.378.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7cb8.369.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f4008.300.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a17c04.506.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389ce2c.545.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a17e34.517.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ce514.465.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f8008.411.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3890298.243.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897f44.400.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0c480.332.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a075d8.274.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39efc30.216.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fc5a8.175.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f958.372.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e7ffc.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3887fec.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3889560.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3887360.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3898008.163.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f8d8.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a106ec.420.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38afe68.404.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897490.140.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3888560.102.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f990.384.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f200.362.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7e30.389.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a4b94.249.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f4290.306.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f6ad4.135.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0c490.338.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39efc14.214.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388ff28.230.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e8008.52.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a19c10.541.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a10d70.435.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbf24.519.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a46300.320.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f20cc.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3889914.112.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0fea0.407.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ffed0.237.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f930.367.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc008.537.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f2a88.257.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f6f70.359.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a1d068.579.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e4314.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7cb8.369.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fe4c0.563.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fd08.226.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ca89c.437.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a226b8.336.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e804c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39efa6c.192.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbfc4.527.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a43d14.453.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ec008.161.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39effd0.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fe718.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39effd0.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e737c.61.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a17c04.508.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0fe04.399.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a1761c.482.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38845d8.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38bf7bc.590.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389fed0.236.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bb18.481.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a7ecc.286.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a084f0.305.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f0298.244.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38c4008.410.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7f44.400.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f0298.243.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc008.539.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a00008.182.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc008.455.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f2a88.258.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a11650.441.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ebffc.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a05518.259.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a15398.472.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fce2c.545.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b9c10.543.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fc49c.542.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389d07c.551.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ed62c.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ef9e0.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f3f68.285.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f5e6c.323.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7e24.387.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3896f70.357.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bd78.506.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3884020.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e82c.575.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3896f70.359.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a20008.586.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e4ab4.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a126ac.468.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbb28.487.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbb18.483.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fa6c.192.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ff4f0.193.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0ef64.355.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e45d4.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38aa968.179.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ede4c.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897cb8.371.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3887fec.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e860.129.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39efa6c.194.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388be6c.146.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a07ecc.286.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fe860.129.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3896760.132.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893ffc.296.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38944d8.125.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ee2e0.176.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a08008.301.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fa90.206.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7cd0.377.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38cadc4.452.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388e2e0.175.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ec940.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e830.569.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a07fc8.293.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f52d4.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3888ba8.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f0090.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fc18.208.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f9278.416.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fe68.404.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f8008.116.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f630.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7cb8.370.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f4284.302.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e378.186.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbbf4.493.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b551c.455.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ac700.348.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbc70.501.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a17e84.522.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f3ff0.290.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38afe68.405.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a08008.109.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f2a88.258.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ffed0.236.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389f9a0.587.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fe68.405.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ee6b8.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7eb4.395.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893834.269.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef8d8.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0a968.178.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e98c0.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ff848.219.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ffb48.227.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e737c.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38944b4.121.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389f2d4.190.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388b96c.138.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38845d8.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a3c008.582.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f3ffc.294.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38af950.374.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a0008.554.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e76d0.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ac41c.327.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ec008.114.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7ef4.397.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fbd78.506.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e4314.12.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38ac490.340.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff830.215.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38af958.370.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388e75c.182.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ff684.207.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0f200.364.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e7c70.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39effd8.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff9a0.587.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e8ba0.28.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388ed98.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ee6b8.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897ea0.152.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a28008.252.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a1c988.565.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3888620.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f4284.302.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc5a8.177.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388faa4.202.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388a7d8.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f0008.238.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388f1b0.184.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388b96c.139.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f8008.169.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fc008.538.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbb28.485.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b77f0.498.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389e710.123.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b1650.441.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fbf04.513.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39efaa4.200.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38dae58.568.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ec940.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388bfb8.158.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893ff0.291.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38adeb8.360.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388de4c.22.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38845d4.29.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897cb8.369.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fc5a8.177.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893d3c.277.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388ffd0.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39efa90.204.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a7fe0.295.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b9c10.541.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388c940.14.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0deb8.358.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a17658.487.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a1d040.574.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bea0.509.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0a968.179.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389efb4.583.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f5e50.321.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a2adc4.452.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3898008.168.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f8270.419.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e76d4.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e9914.112.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a177e4.495.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef344.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a28b5c.421.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0ef64.356.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893808.265.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bfc4.527.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388737c.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a20008.584.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7490.141.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388c008.116.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0c480.333.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38dc008.580.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a2a89c.437.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3891c34.253.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fe838.577.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fe82c.573.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ff508.199.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bea0.510.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38876d4.63.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a1f7bc.590.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ea270.125.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7490.139.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ef1b0.185.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a07008.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a40fe0.426.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fcd0.391.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e7cec.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38d1bf4.315.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fefb4.583.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39eed80.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389bf04.515.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0fea0.407.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38c27ec.342.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389acf8.473.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff2d4.189.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f620.225.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ebe14.142.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.logagent.exe.10410000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.3.Rvsuben.exe.39ff508.198.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a17c04.508.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fa6c.194.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f44d8.128.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a00008.553.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f7e24.387.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a00008.552.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a31bf4.315.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a3ae58.568.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388e6b8.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b7f18.525.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0c480.334.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a10008.413.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ec940.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a0f990.382.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38845d4.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38a7040.272.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39efb8c.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3898b24.438.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389f684.207.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fc008.534.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39e4324.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff4f0.193.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a16964.251.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ea7d8.40.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38c8b5c.421.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a28b5c.424.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.3a43d14.453.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39facf8.473.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ef1b0.184.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38bd068.578.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f05cc.101.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3892a94.261.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a59670.425.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a0f930.366.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39e4ab4.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39f4008.246.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39fe82c.575.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a17c04.507.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39efc30.218.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38b6f8c.480.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3897ff0.166.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38c2634.330.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39eff28.230.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.38bdb94.553.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a1551c.458.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ebe14.142.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39ec008.161.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.388fb8c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389f508.198.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.389f4f0.195.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3893f68.288.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39ff848.217.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3894708.310.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.3.Rvsuben.exe.39fe710.123.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FedEx.exe.3884030.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.39f7eb4.395.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Rvsuben.exe.3a10008.412.unpack Avira: Label: TR/Patched.Ren.Gen
Source: FedEx.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: Binary string: WWAHost.pdb source: logagent.exe, 00000008.00000002.624050662.0000000005070000.00000040.10000000.00040000.00000000.sdmp, logagent.exe, 00000008.00000003.619739649.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.618801358.0000000005078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: logagent.exe, 00000008.00000002.624050662.0000000005070000.00000040.10000000.00040000.00000000.sdmp, logagent.exe, 00000008.00000003.619739649.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.618801358.0000000005078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000008.00000002.626998143.00000000052AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.482099015.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.480246797.0000000004E62000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: logagent.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: FedEx.exe, 00000000.00000003.445278121.000000000096F000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.431052122.0000000000978000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.429028276.000000000097A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.431052122.0000000000978000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/
Source: FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/7
Source: FedEx.exe, 00000000.00000003.445278121.000000000096F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/9
Source: FedEx.exe, 00000000.00000003.445278121.000000000096F000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.431052122.0000000000978000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/C
Source: FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/D
Source: FedEx.exe, 00000000.00000003.429089058.0000000000976000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/y#
Source: FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.429028276.000000000097A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/y4mTnkLj40hyLVw4BtBaiXNAdGj9lmXPu8bnFu8Q62yCKBLlljWV9gQTwNCXadDaPBG
Source: FedEx.exe, 00000000.00000003.445278121.000000000096F000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.431008651.0000000000972000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.431052122.0000000000978000.00000004.00000020.00020000.00000000.sdmp, FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/y4mbREn9_V4vP2iayGOc8Ug-MJsNGUbQ22edGkOo763CxJa0LiZHDGiyIHL8PMA6_CP
Source: FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://7psoug.db.files.1drv.com/y4ml7-AIKSVvhdNF4oTlWE27Sg2xfN1VXI-zQgD_S8pdj84xCMmYdG5QewqUmSM7ppL
Source: FedEx.exe, 00000000.00000003.432988112.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/download??cid=020C1D97A63B8AD4&resid=20C1D97A63B8AD4%21155&authkey=ADj7CX_
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /download??cid=020C1D97A63B8AD4&resid=20C1D97A63B8AD4%21155&authkey=ADj7CX_G1rJPDU4 HTTP/1.1User-Agent: lValiHost: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /y4mTnkLj40hyLVw4BtBaiXNAdGj9lmXPu8bnFu8Q62yCKBLlljWV9gQTwNCXadDaPBG7a5xsZQK5iQFq0oL78Muh1zAhj_-GEEmciX2xawq2j1_yCdrDwIN59eRGDziNd9B4VLik6wClT-AZqKljLWZnWxQ35HpD4NNz2-X026MmD9jZr5dj0h083QXOKwfNDAijB2b6l19b29hHg3LxktPSA/Rvsubentohcvaxlbphydsofhyldatal?download&psid=1 HTTP/1.1User-Agent: lValiHost: 7psoug.db.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download??cid=020C1D97A63B8AD4&resid=20C1D97A63B8AD4%21155&authkey=ADj7CX_G1rJPDU4 HTTP/1.1User-Agent: 44Host: onedrive.live.comCache-Control: no-cacheCookie: E=P:c2oI1fM02og=:k6u1A444aq3bmDmo/mWTSqLlr2uZ2puo/iD5RFPbsfE=:F; xid=09282da4-e147-4895-8781-e47f9fbefcca&&RD00155D3F4236&173; xidseq=1; wla42=
Source: global traffic HTTP traffic detected: GET /y4ml7-AIKSVvhdNF4oTlWE27Sg2xfN1VXI-zQgD_S8pdj84xCMmYdG5QewqUmSM7ppL4ErfY5FQN7yQ5e8Er7wNoethZZPpye0v7-OBK4AhUUqHfyyPL2MArqnagRFrgHcjasodUbnSfipUTgA205VKAkM6jdwj-Gik53gySQuJl4UaH9ZZ7bt5lPVcB0d0zfIP24kcbexngfNA4ODS-TihkA/Rvsubentohcvaxlbphydsofhyldatal?download&psid=1 HTTP/1.1User-Agent: 44Cache-Control: no-cacheHost: 7psoug.db.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download??cid=020C1D97A63B8AD4&resid=20C1D97A63B8AD4%21155&authkey=ADj7CX_G1rJPDU4 HTTP/1.1User-Agent: lValiHost: onedrive.live.comCookie: wla42=
Source: global traffic HTTP traffic detected: GET /y4mXzMyFpM-jvgYM2atIhPeCTn-KOLCtL7U4aJYB1KsLhYlFeUNNY5EZ0sSApCOscVc-to_baaLv-1uq-cP7hO418R6MOZIGvLjtvhiD_mEDnWjp3s9Qsm1jpUq4454e-9uDhTZlrnoLq2DLbIyxL0XkGdDoZeoeSpDv4t2v7vZ0zKXXy9SWLxTnkTTK7PFcdWjAgGOV3jjYEd6kSox2c2hfQ/Rvsubentohcvaxlbphydsofhyldatal?download&psid=1 HTTP/1.1User-Agent: lValiHost: 7psoug.db.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download??cid=020C1D97A63B8AD4&resid=20C1D97A63B8AD4%21155&authkey=ADj7CX_G1rJPDU4 HTTP/1.1User-Agent: 45Host: onedrive.live.comCache-Control: no-cacheCookie: wla42=; E=P:x8sx6vM02og=:Xai/HAzACW+7FNKbBAsKrPAl9FCAAVV5cLK8hqZn0bE=:F; xid=5c4918a1-6b9b-426b-b5a3-a1e2c0aa1d36&&RD00155D3F4235&173; xidseq=1
Source: global traffic HTTP traffic detected: GET /y4mdlIsJv5Tl5tDvsMQlusKvl6KHLsIPGYjnDT92Ql0Z4RhT6d4YPOSq5oomATg0RWW04TBLjz9Th0GACCDR4MzUTy0Ib7dIUdXpmrwe7bOGx16nNEe5ZEFdAP0aKSAUbEEKdbUCA4qN9WtiA-RMypGqztNXcMBU_T1NHqmaPWhQkceP-sLizDEyr8dT8Qb0BFnniFZNQl2dlaqlWlEi2TPyw/Rvsubentohcvaxlbphydsofhyldatal?download&psid=1 HTTP/1.1User-Agent: 45Cache-Control: no-cacheHost: 7psoug.db.files.1drv.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.5:49783 version: TLS 1.2

E-Banking Fraud

barindex
Source: Yara match File source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: FedEx.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\nebusvR.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\Public\Libraries\nebusvR.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BF900 8_2_051BF900
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05282D07 8_2_05282D07
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B0D20 8_2_051B0D20
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05281D55 8_2_05281D55
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2581 8_2_051E2581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CD5E0 8_2_051CD5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C841F 8_2_051C841F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271002 8_2_05271002
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052820A8 8_2_052820A8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CB090 8_2_051CB090
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05282B28 8_2_05282B28
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EEBB0 8_2_051EEBB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05281FF1 8_2_05281FF1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527DBD2 8_2_0527DBD2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D6E30 8_2_051D6E30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052822AE 8_2_052822AE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05282EF7 8_2_05282EF7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4841F 20_2_04B4841F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFD466 20_2_04BFD466
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C025DD 20_2_04C025DD
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B62581 20_2_04B62581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4D5E0 20_2_04B4D5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B30D20 20_2_04B30D20
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C01D55 20_2_04C01D55
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C02D07 20_2_04C02D07
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C02EF7 20_2_04C02EF7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B56E30 20_2_04B56E30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFD616 20_2_04BFD616
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0DFCE 20_2_04C0DFCE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C01FF1 20_2_04C01FF1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4B090 20_2_04B4B090
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C028EC 20_2_04C028EC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C020A8 20_2_04C020A8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A830 20_2_04B5A830
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1002 20_2_04BF1002
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0E824 20_2_04C0E824
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B54120 20_2_04B54120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3F900 20_2_04B3F900
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4AEF 20_2_04BF4AEF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C022AE 20_2_04C022AE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BEFA2B 20_2_04BEFA2B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6EBB0 20_2_04B6EBB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BE23E3 20_2_04BE23E3
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF03DA 20_2_04BF03DA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFDBD2 20_2_04BFDBD2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6ABD8 20_2_04B6ABD8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A309 20_2_04B5A309
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C02B28 20_2_04C02B28
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AB40 20_2_04B5AB40
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 051BB150 appears 35 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 04B3B150 appears 133 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_051F9910
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9540 NtReadFile,LdrInitializeThunk, 8_2_051F9540
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F99A0 NtCreateSection,LdrInitializeThunk, 8_2_051F99A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F95D0 NtClose,LdrInitializeThunk, 8_2_051F95D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9840 NtDelayExecution,LdrInitializeThunk, 8_2_051F9840
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_051F9860
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F98F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_051F98F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9710 NtQueryInformationToken,LdrInitializeThunk, 8_2_051F9710
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9780 NtMapViewOfSection,LdrInitializeThunk, 8_2_051F9780
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_051F97A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9FE0 NtCreateMutant,LdrInitializeThunk, 8_2_051F9FE0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_051F9A00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9A20 NtResumeThread,LdrInitializeThunk, 8_2_051F9A20
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9A50 NtCreateFile,LdrInitializeThunk, 8_2_051F9A50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_051F9660
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_051F96E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051FAD30 NtSetContextThread, 8_2_051FAD30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9520 NtWaitForSingleObject, 8_2_051F9520
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9950 NtQueueApcThread, 8_2_051F9950
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9560 NtWriteFile, 8_2_051F9560
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F99D0 NtCreateProcessEx, 8_2_051F99D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F95F0 NtQueryInformationFile, 8_2_051F95F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9820 NtEnumerateKey, 8_2_051F9820
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051FB040 NtSuspendThread, 8_2_051FB040
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F98A0 NtWriteVirtualMemory, 8_2_051F98A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051FA710 NtOpenProcessToken, 8_2_051FA710
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9B00 NtSetValueKey, 8_2_051F9B00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9730 NtQueryVirtualMemory, 8_2_051F9730
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9770 NtSetInformationFile, 8_2_051F9770
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051FA770 NtOpenThread, 8_2_051FA770
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9760 NtOpenProcess, 8_2_051F9760
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051FA3B0 NtGetContextThread, 8_2_051FA3B0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9610 NtEnumerateValueKey, 8_2_051F9610
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9A10 NtQuerySection, 8_2_051F9A10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9650 NtQueryValueKey, 8_2_051F9650
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9670 NtQueryInformationProcess, 8_2_051F9670
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9A80 NtOpenDirectoryObject, 8_2_051F9A80
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F96D0 NtCreateKey, 8_2_051F96D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B795D0 NtClose,LdrInitializeThunk, 20_2_04B795D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79540 NtReadFile,LdrInitializeThunk, 20_2_04B79540
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B796E0 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_04B796E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79660 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_04B79660
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B797A0 NtUnmapViewOfSection,LdrInitializeThunk, 20_2_04B797A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79780 NtMapViewOfSection,LdrInitializeThunk, 20_2_04B79780
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79FE0 NtCreateMutant,LdrInitializeThunk, 20_2_04B79FE0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79710 NtQueryInformationToken,LdrInitializeThunk, 20_2_04B79710
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B798F0 NtReadVirtualMemory,LdrInitializeThunk, 20_2_04B798F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79860 NtQuerySystemInformation,LdrInitializeThunk, 20_2_04B79860
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79840 NtDelayExecution,LdrInitializeThunk, 20_2_04B79840
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B799A0 NtCreateSection,LdrInitializeThunk, 20_2_04B799A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79910 NtAdjustPrivilegesToken,LdrInitializeThunk, 20_2_04B79910
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79A20 NtResumeThread,LdrInitializeThunk, 20_2_04B79A20
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79A00 NtProtectVirtualMemory,LdrInitializeThunk, 20_2_04B79A00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79A50 NtCreateFile,LdrInitializeThunk, 20_2_04B79A50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B795F0 NtQueryInformationFile, 20_2_04B795F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B7AD30 NtSetContextThread, 20_2_04B7AD30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79520 NtWaitForSingleObject, 20_2_04B79520
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79560 NtWriteFile, 20_2_04B79560
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B796D0 NtCreateKey, 20_2_04B796D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79610 NtEnumerateValueKey, 20_2_04B79610
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79670 NtQueryInformationProcess, 20_2_04B79670
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79650 NtQueryValueKey, 20_2_04B79650
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79730 NtQueryVirtualMemory, 20_2_04B79730
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B7A710 NtOpenProcessToken, 20_2_04B7A710
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B7A770 NtOpenThread, 20_2_04B7A770
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79770 NtSetInformationFile, 20_2_04B79770
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79760 NtOpenProcess, 20_2_04B79760
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B798A0 NtWriteVirtualMemory, 20_2_04B798A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79820 NtEnumerateKey, 20_2_04B79820
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B7B040 NtSuspendThread, 20_2_04B7B040
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B799D0 NtCreateProcessEx, 20_2_04B799D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79950 NtQueueApcThread, 20_2_04B79950
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79A80 NtOpenDirectoryObject, 20_2_04B79A80
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79A10 NtQuerySection, 20_2_04B79A10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B7A3B0 NtGetContextThread, 20_2_04B7A3B0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B79B00 NtSetValueKey, 20_2_04B79B00
Source: FedEx.exe, 00000000.00000003.424180107.000000007FD10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs FedEx.exe
Source: FedEx.exe, 00000000.00000003.424293428.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs FedEx.exe
Source: FedEx.exe, 00000000.00000003.424776287.0000000003580000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs FedEx.exe
Source: FedEx.exe, 00000000.00000000.422864741.00000000004DD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.exe, vs FedEx.exe
Source: FedEx.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: FedEx.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rvsuben.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Rvsuben.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Section loaded: endpointdlp.dll Jump to behavior
Source: FedEx.exe Virustotal: Detection: 31%
Source: FedEx.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\FedEx.exe File read: C:\Users\user\Desktop\FedEx.exe Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FedEx.exe "C:\Users\user\Desktop\FedEx.exe"
Source: C:\Users\user\Desktop\FedEx.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Rvsuben.exe "C:\Users\Public\Libraries\Rvsuben.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Rvsuben.exe "C:\Users\Public\Libraries\Rvsuben.exe"
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Users\user\Desktop\FedEx.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Rvsuben.exe "C:\Users\Public\Libraries\Rvsuben.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe" Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Rvsubentohcvaxlbphydsofhyldatal[1] Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@17/6@7/2
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Users\user\Desktop\FedEx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: WWAHost.pdb source: logagent.exe, 00000008.00000002.624050662.0000000005070000.00000040.10000000.00040000.00000000.sdmp, logagent.exe, 00000008.00000003.619739649.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.618801358.0000000005078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: logagent.exe, 00000008.00000002.624050662.0000000005070000.00000040.10000000.00040000.00000000.sdmp, logagent.exe, 00000008.00000003.619739649.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.618801358.0000000005078000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000008.00000002.626998143.00000000052AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.482099015.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp, logagent.exe, 00000008.00000003.480246797.0000000004E62000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: logagent.exe
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03541F02 push ss; ret 0_3_03541F14
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03541EDD push ecx; ret 0_3_03541EF7
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035426FE pushfd ; ret 0_3_035426FF
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03542136 push ss; ret 0_3_03542150
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035429D6 push esi; retf 0_3_035429D8
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035435C6 push ecx; ret 0_3_035435C7
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035425C0 pushfd ; ret 0_3_035425C1
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035439EE push es; ret 0_3_035439EF
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_0354219A pushfd ; ret 0_3_0354219B
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03541C36 pushfd ; ret 0_3_03541C37
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035404D1 push ss; ret 0_3_035404E9
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035424DE pushfd ; ret 0_3_035424DF
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035404C5 push ss; ret 0_3_035404B7
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035428EB pushfd ; ret 0_3_035428EC
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_0354109D pushfd ; ret 0_3_0354109E
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03545C86 push ebx; ret 0_3_03545C8C
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_0354048C push ss; ret 0_3_035404B7
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035404B8 push ebx; ret 0_3_035404C4
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_035420A6 pushfd ; ret 0_3_035420A7
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_038D5384 push 0041C3A0h; ret 0_3_038D53A8
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03883B86 push ss; ret 0_3_03883BA0
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_038D43A8 push 0041B428h; ret 0_3_038D4430
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_038D53DC push 0041C3F8h; ret 0_3_038D5400
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03883BEA pushfd ; ret 0_3_03883BEB
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03881F08 push ebx; ret 0_3_03881F14
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_038D5314 push 0041C330h; ret 0_3_038D5338
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03881F15 push ss; ret 0_3_03881F07
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03883F2E pushfd ; ret 0_3_03883F2F
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03881F21 push ss; ret 0_3_03881F39
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_0388433B pushfd ; ret 0_3_0388433C
Source: C:\Users\user\Desktop\FedEx.exe Code function: 0_3_03883686 pushfd ; ret 0_3_03883687
Source: C:\Users\user\Desktop\FedEx.exe File created: C:\Users\Public\Libraries\Rvsuben.exe Jump to dropped file
Source: C:\Users\user\Desktop\FedEx.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rvsuben Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Rvsuben Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon1488.png
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 0000000010418C04 second address: 0000000010418C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 0000000010418F9E second address: 0000000010418FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 0000000010418C04 second address: 0000000010418C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 0000000010418F9E second address: 0000000010418FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000E28C04 second address: 0000000000E28C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000E28F9E second address: 0000000000E28FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000003048C04 second address: 0000000003048C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000003048F9E second address: 0000000003048FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000032D8C04 second address: 00000000032D8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000032D8F9E second address: 00000000032D8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F6DE6 rdtsc 8_2_051F6DE6
Source: C:\Windows\SysWOW64\logagent.exe API coverage: 6.1 %
Source: C:\Windows\SysWOW64\logagent.exe API coverage: 4.4 %
Source: C:\Windows\SysWOW64\logagent.exe Process information queried: ProcessInformation Jump to behavior
Source: FedEx.exe, 00000000.00000003.445267529.0000000000959000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FedEx.exe, 00000000.00000003.445267529.0000000000959000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW,
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F6DE6 rdtsc 8_2_051F6DE6
Source: C:\Windows\SysWOW64\logagent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0523A537 mov eax, dword ptr fs:[00000030h] 8_2_0523A537
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h] 8_2_051B9100
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h] 8_2_051B9100
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h] 8_2_051B9100
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288D34 mov eax, dword ptr fs:[00000030h] 8_2_05288D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527E539 mov eax, dword ptr fs:[00000030h] 8_2_0527E539
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E513A mov eax, dword ptr fs:[00000030h] 8_2_051E513A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E513A mov eax, dword ptr fs:[00000030h] 8_2_051E513A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h] 8_2_051E4D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h] 8_2_051E4D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h] 8_2_051E4D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h] 8_2_051C3D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BAD30 mov eax, dword ptr fs:[00000030h] 8_2_051BAD30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h] 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h] 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h] 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h] 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D4120 mov ecx, dword ptr fs:[00000030h] 8_2_051D4120
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D7D50 mov eax, dword ptr fs:[00000030h] 8_2_051D7D50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DB944 mov eax, dword ptr fs:[00000030h] 8_2_051DB944
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DB944 mov eax, dword ptr fs:[00000030h] 8_2_051DB944
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F3D43 mov eax, dword ptr fs:[00000030h] 8_2_051F3D43
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05233540 mov eax, dword ptr fs:[00000030h] 8_2_05233540
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BB171 mov eax, dword ptr fs:[00000030h] 8_2_051BB171
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BB171 mov eax, dword ptr fs:[00000030h] 8_2_051BB171
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DC577 mov eax, dword ptr fs:[00000030h] 8_2_051DC577
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DC577 mov eax, dword ptr fs:[00000030h] 8_2_051DC577
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BC962 mov eax, dword ptr fs:[00000030h] 8_2_051BC962
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052805AC mov eax, dword ptr fs:[00000030h] 8_2_052805AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052805AC mov eax, dword ptr fs:[00000030h] 8_2_052805AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EFD9B mov eax, dword ptr fs:[00000030h] 8_2_051EFD9B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EFD9B mov eax, dword ptr fs:[00000030h] 8_2_051EFD9B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052369A6 mov eax, dword ptr fs:[00000030h] 8_2_052369A6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2990 mov eax, dword ptr fs:[00000030h] 8_2_051E2990
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h] 8_2_051B2D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h] 8_2_051B2D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h] 8_2_051B2D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h] 8_2_051B2D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h] 8_2_051B2D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA185 mov eax, dword ptr fs:[00000030h] 8_2_051EA185
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h] 8_2_052351BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h] 8_2_052351BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h] 8_2_052351BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h] 8_2_052351BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DC182 mov eax, dword ptr fs:[00000030h] 8_2_051DC182
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h] 8_2_051E2581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h] 8_2_051E2581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h] 8_2_051E2581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h] 8_2_051E2581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h] 8_2_051E1DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h] 8_2_051E1DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h] 8_2_051E1DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E61A0 mov eax, dword ptr fs:[00000030h] 8_2_051E61A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E61A0 mov eax, dword ptr fs:[00000030h] 8_2_051E61A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E35A1 mov eax, dword ptr fs:[00000030h] 8_2_051E35A1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0527FDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0527FDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0527FDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0527FDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052441E8 mov eax, dword ptr fs:[00000030h] 8_2_052441E8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05268DF1 mov eax, dword ptr fs:[00000030h] 8_2_05268DF1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov ecx, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h] 8_2_05236DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h] 8_2_051BB1E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h] 8_2_051BB1E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h] 8_2_051BB1E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CD5E0 mov eax, dword ptr fs:[00000030h] 8_2_051CD5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CD5E0 mov eax, dword ptr fs:[00000030h] 8_2_051CD5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h] 8_2_05271C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h] 8_2_0528740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h] 8_2_0528740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h] 8_2_0528740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h] 8_2_05236C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h] 8_2_05236C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h] 8_2_05236C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h] 8_2_05236C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EBC2C mov eax, dword ptr fs:[00000030h] 8_2_051EBC2C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h] 8_2_051E002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h] 8_2_051E002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h] 8_2_051E002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h] 8_2_051E002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h] 8_2_051E002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h] 8_2_05237016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h] 8_2_05237016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h] 8_2_05237016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h] 8_2_051CB02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h] 8_2_051CB02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h] 8_2_051CB02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h] 8_2_051CB02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05284015 mov eax, dword ptr fs:[00000030h] 8_2_05284015
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05284015 mov eax, dword ptr fs:[00000030h] 8_2_05284015
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D0050 mov eax, dword ptr fs:[00000030h] 8_2_051D0050
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D0050 mov eax, dword ptr fs:[00000030h] 8_2_051D0050
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05272073 mov eax, dword ptr fs:[00000030h] 8_2_05272073
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA44B mov eax, dword ptr fs:[00000030h] 8_2_051EA44B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05281074 mov eax, dword ptr fs:[00000030h] 8_2_05281074
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D746D mov eax, dword ptr fs:[00000030h] 8_2_051D746D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524C450 mov eax, dword ptr fs:[00000030h] 8_2_0524C450
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524C450 mov eax, dword ptr fs:[00000030h] 8_2_0524C450
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C849B mov eax, dword ptr fs:[00000030h] 8_2_051C849B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9080 mov eax, dword ptr fs:[00000030h] 8_2_051B9080
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EF0BF mov ecx, dword ptr fs:[00000030h] 8_2_051EF0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EF0BF mov eax, dword ptr fs:[00000030h] 8_2_051EF0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EF0BF mov eax, dword ptr fs:[00000030h] 8_2_051EF0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05233884 mov eax, dword ptr fs:[00000030h] 8_2_05233884
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05233884 mov eax, dword ptr fs:[00000030h] 8_2_05233884
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F90AF mov eax, dword ptr fs:[00000030h] 8_2_051F90AF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h] 8_2_051E20A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h] 8_2_05236CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h] 8_2_05236CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h] 8_2_05236CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052714FB mov eax, dword ptr fs:[00000030h] 8_2_052714FB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov ecx, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0524B8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B58EC mov eax, dword ptr fs:[00000030h] 8_2_051B58EC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288CD6 mov eax, dword ptr fs:[00000030h] 8_2_05288CD6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DF716 mov eax, dword ptr fs:[00000030h] 8_2_051DF716
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA70E mov eax, dword ptr fs:[00000030h] 8_2_051EA70E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA70E mov eax, dword ptr fs:[00000030h] 8_2_051EA70E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0528070D mov eax, dword ptr fs:[00000030h] 8_2_0528070D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0528070D mov eax, dword ptr fs:[00000030h] 8_2_0528070D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EE730 mov eax, dword ptr fs:[00000030h] 8_2_051EE730
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524FF10 mov eax, dword ptr fs:[00000030h] 8_2_0524FF10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524FF10 mov eax, dword ptr fs:[00000030h] 8_2_0524FF10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B4F2E mov eax, dword ptr fs:[00000030h] 8_2_051B4F2E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B4F2E mov eax, dword ptr fs:[00000030h] 8_2_051B4F2E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527131B mov eax, dword ptr fs:[00000030h] 8_2_0527131B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288F6A mov eax, dword ptr fs:[00000030h] 8_2_05288F6A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BF358 mov eax, dword ptr fs:[00000030h] 8_2_051BF358
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BDB40 mov eax, dword ptr fs:[00000030h] 8_2_051BDB40
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CEF40 mov eax, dword ptr fs:[00000030h] 8_2_051CEF40
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E3B7A mov eax, dword ptr fs:[00000030h] 8_2_051E3B7A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E3B7A mov eax, dword ptr fs:[00000030h] 8_2_051E3B7A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288B58 mov eax, dword ptr fs:[00000030h] 8_2_05288B58
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BDB60 mov ecx, dword ptr fs:[00000030h] 8_2_051BDB60
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CFF60 mov eax, dword ptr fs:[00000030h] 8_2_051CFF60
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C8794 mov eax, dword ptr fs:[00000030h] 8_2_051C8794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2397 mov eax, dword ptr fs:[00000030h] 8_2_051E2397
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05285BA5 mov eax, dword ptr fs:[00000030h] 8_2_05285BA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EB390 mov eax, dword ptr fs:[00000030h] 8_2_051EB390
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C1B8F mov eax, dword ptr fs:[00000030h] 8_2_051C1B8F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C1B8F mov eax, dword ptr fs:[00000030h] 8_2_051C1B8F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0526D380 mov ecx, dword ptr fs:[00000030h] 8_2_0526D380
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527138A mov eax, dword ptr fs:[00000030h] 8_2_0527138A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h] 8_2_051E4BAD
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h] 8_2_051E4BAD
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h] 8_2_051E4BAD
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h] 8_2_05237794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h] 8_2_05237794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h] 8_2_05237794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052353CA mov eax, dword ptr fs:[00000030h] 8_2_052353CA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052353CA mov eax, dword ptr fs:[00000030h] 8_2_052353CA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F37F5 mov eax, dword ptr fs:[00000030h] 8_2_051F37F5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DDBE9 mov eax, dword ptr fs:[00000030h] 8_2_051DDBE9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h] 8_2_051E03E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051D3A1C mov eax, dword ptr fs:[00000030h] 8_2_051D3A1C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA61C mov eax, dword ptr fs:[00000030h] 8_2_051EA61C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EA61C mov eax, dword ptr fs:[00000030h] 8_2_051EA61C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h] 8_2_051B5210
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B5210 mov ecx, dword ptr fs:[00000030h] 8_2_051B5210
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h] 8_2_051B5210
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h] 8_2_051B5210
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BAA16 mov eax, dword ptr fs:[00000030h] 8_2_051BAA16
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BAA16 mov eax, dword ptr fs:[00000030h] 8_2_051BAA16
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C8A0A mov eax, dword ptr fs:[00000030h] 8_2_051C8A0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0526FE3F mov eax, dword ptr fs:[00000030h] 8_2_0526FE3F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h] 8_2_051BC600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h] 8_2_051BC600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h] 8_2_051BC600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E8E00 mov eax, dword ptr fs:[00000030h] 8_2_051E8E00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05271608 mov eax, dword ptr fs:[00000030h] 8_2_05271608
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F4A2C mov eax, dword ptr fs:[00000030h] 8_2_051F4A2C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F4A2C mov eax, dword ptr fs:[00000030h] 8_2_051F4A2C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051BE620 mov eax, dword ptr fs:[00000030h] 8_2_051BE620
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0526B260 mov eax, dword ptr fs:[00000030h] 8_2_0526B260
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0526B260 mov eax, dword ptr fs:[00000030h] 8_2_0526B260
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288A62 mov eax, dword ptr fs:[00000030h] 8_2_05288A62
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h] 8_2_051B9240
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h] 8_2_051B9240
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h] 8_2_051B9240
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h] 8_2_051B9240
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h] 8_2_051C7E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527AE44 mov eax, dword ptr fs:[00000030h] 8_2_0527AE44
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527AE44 mov eax, dword ptr fs:[00000030h] 8_2_0527AE44
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F927A mov eax, dword ptr fs:[00000030h] 8_2_051F927A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h] 8_2_051DAE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h] 8_2_051DAE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h] 8_2_051DAE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h] 8_2_051DAE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h] 8_2_051DAE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C766D mov eax, dword ptr fs:[00000030h] 8_2_051C766D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0527EA55 mov eax, dword ptr fs:[00000030h] 8_2_0527EA55
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05244257 mov eax, dword ptr fs:[00000030h] 8_2_05244257
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_052346A7 mov eax, dword ptr fs:[00000030h] 8_2_052346A7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051ED294 mov eax, dword ptr fs:[00000030h] 8_2_051ED294
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051ED294 mov eax, dword ptr fs:[00000030h] 8_2_051ED294
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h] 8_2_05280EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h] 8_2_05280EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h] 8_2_05280EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0524FE87 mov eax, dword ptr fs:[00000030h] 8_2_0524FE87
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CAAB0 mov eax, dword ptr fs:[00000030h] 8_2_051CAAB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051CAAB0 mov eax, dword ptr fs:[00000030h] 8_2_051CAAB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051EFAB0 mov eax, dword ptr fs:[00000030h] 8_2_051EFAB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h] 8_2_051B52A5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h] 8_2_051B52A5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h] 8_2_051B52A5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h] 8_2_051B52A5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h] 8_2_051B52A5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E36CC mov eax, dword ptr fs:[00000030h] 8_2_051E36CC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2ACB mov eax, dword ptr fs:[00000030h] 8_2_051E2ACB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F8EC7 mov eax, dword ptr fs:[00000030h] 8_2_051F8EC7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_0526FEC0 mov eax, dword ptr fs:[00000030h] 8_2_0526FEC0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E2AE4 mov eax, dword ptr fs:[00000030h] 8_2_051E2AE4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051E16E0 mov ecx, dword ptr fs:[00000030h] 8_2_051E16E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_05288ED6 mov eax, dword ptr fs:[00000030h] 8_2_05288ED6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051C76E2 mov eax, dword ptr fs:[00000030h] 8_2_051C76E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C08CD6 mov eax, dword ptr fs:[00000030h] 20_2_04C08CD6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF4496 mov eax, dword ptr fs:[00000030h] 20_2_04BF4496
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4849B mov eax, dword ptr fs:[00000030h] 20_2_04B4849B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF14FB mov eax, dword ptr fs:[00000030h] 20_2_04BF14FB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 20_2_04BB6CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 20_2_04BB6CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 20_2_04BB6CF0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6BC2C mov eax, dword ptr fs:[00000030h] 20_2_04B6BC2C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 20_2_04BB6C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 20_2_04BB6C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 20_2_04BB6C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 20_2_04BB6C0A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 20_2_04BF1C06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0740D mov eax, dword ptr fs:[00000030h] 20_2_04C0740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0740D mov eax, dword ptr fs:[00000030h] 20_2_04C0740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0740D mov eax, dword ptr fs:[00000030h] 20_2_04C0740D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6AC7B mov eax, dword ptr fs:[00000030h] 20_2_04B6AC7B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5746D mov eax, dword ptr fs:[00000030h] 20_2_04B5746D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCC450 mov eax, dword ptr fs:[00000030h] 20_2_04BCC450
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCC450 mov eax, dword ptr fs:[00000030h] 20_2_04BCC450
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6A44B mov eax, dword ptr fs:[00000030h] 20_2_04B6A44B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 20_2_04B61DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 20_2_04B61DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 20_2_04B61DB5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B635A1 mov eax, dword ptr fs:[00000030h] 20_2_04B635A1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6FD9B mov eax, dword ptr fs:[00000030h] 20_2_04B6FD9B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6FD9B mov eax, dword ptr fs:[00000030h] 20_2_04B6FD9B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B62581 mov eax, dword ptr fs:[00000030h] 20_2_04B62581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B62581 mov eax, dword ptr fs:[00000030h] 20_2_04B62581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B62581 mov eax, dword ptr fs:[00000030h] 20_2_04B62581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B62581 mov eax, dword ptr fs:[00000030h] 20_2_04B62581
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B32D8A mov eax, dword ptr fs:[00000030h] 20_2_04B32D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B32D8A mov eax, dword ptr fs:[00000030h] 20_2_04B32D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B32D8A mov eax, dword ptr fs:[00000030h] 20_2_04B32D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B32D8A mov eax, dword ptr fs:[00000030h] 20_2_04B32D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B32D8A mov eax, dword ptr fs:[00000030h] 20_2_04B32D8A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2D82 mov eax, dword ptr fs:[00000030h] 20_2_04BF2D82
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BE8DF1 mov eax, dword ptr fs:[00000030h] 20_2_04BE8DF1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4D5E0 mov eax, dword ptr fs:[00000030h] 20_2_04B4D5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4D5E0 mov eax, dword ptr fs:[00000030h] 20_2_04B4D5E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFFDE2 mov eax, dword ptr fs:[00000030h] 20_2_04BFFDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFFDE2 mov eax, dword ptr fs:[00000030h] 20_2_04BFFDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFFDE2 mov eax, dword ptr fs:[00000030h] 20_2_04BFFDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFFDE2 mov eax, dword ptr fs:[00000030h] 20_2_04BFFDE2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C005AC mov eax, dword ptr fs:[00000030h] 20_2_04C005AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C005AC mov eax, dword ptr fs:[00000030h] 20_2_04C005AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov ecx, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 20_2_04BB6DC9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B43D34 mov eax, dword ptr fs:[00000030h] 20_2_04B43D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3AD30 mov eax, dword ptr fs:[00000030h] 20_2_04B3AD30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFE539 mov eax, dword ptr fs:[00000030h] 20_2_04BFE539
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BBA537 mov eax, dword ptr fs:[00000030h] 20_2_04BBA537
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B64D3B mov eax, dword ptr fs:[00000030h] 20_2_04B64D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B64D3B mov eax, dword ptr fs:[00000030h] 20_2_04B64D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B64D3B mov eax, dword ptr fs:[00000030h] 20_2_04B64D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5C577 mov eax, dword ptr fs:[00000030h] 20_2_04B5C577
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5C577 mov eax, dword ptr fs:[00000030h] 20_2_04B5C577
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B57D50 mov eax, dword ptr fs:[00000030h] 20_2_04B57D50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C08D34 mov eax, dword ptr fs:[00000030h] 20_2_04C08D34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B73D43 mov eax, dword ptr fs:[00000030h] 20_2_04B73D43
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB3540 mov eax, dword ptr fs:[00000030h] 20_2_04BB3540
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BE3D40 mov eax, dword ptr fs:[00000030h] 20_2_04BE3D40
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C08ED6 mov eax, dword ptr fs:[00000030h] 20_2_04C08ED6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB46A7 mov eax, dword ptr fs:[00000030h] 20_2_04BB46A7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCFE87 mov eax, dword ptr fs:[00000030h] 20_2_04BCFE87
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B616E0 mov ecx, dword ptr fs:[00000030h] 20_2_04B616E0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B476E2 mov eax, dword ptr fs:[00000030h] 20_2_04B476E2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 20_2_04C00EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 20_2_04C00EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 20_2_04C00EA5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B78EC7 mov eax, dword ptr fs:[00000030h] 20_2_04B78EC7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B636CC mov eax, dword ptr fs:[00000030h] 20_2_04B636CC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BEFEC0 mov eax, dword ptr fs:[00000030h] 20_2_04BEFEC0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BEFE3F mov eax, dword ptr fs:[00000030h] 20_2_04BEFE3F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3E620 mov eax, dword ptr fs:[00000030h] 20_2_04B3E620
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6A61C mov eax, dword ptr fs:[00000030h] 20_2_04B6A61C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6A61C mov eax, dword ptr fs:[00000030h] 20_2_04B6A61C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3C600 mov eax, dword ptr fs:[00000030h] 20_2_04B3C600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3C600 mov eax, dword ptr fs:[00000030h] 20_2_04B3C600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B3C600 mov eax, dword ptr fs:[00000030h] 20_2_04B3C600
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B68E00 mov eax, dword ptr fs:[00000030h] 20_2_04B68E00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF1608 mov eax, dword ptr fs:[00000030h] 20_2_04BF1608
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 20_2_04B5AE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 20_2_04B5AE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 20_2_04B5AE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 20_2_04B5AE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 20_2_04B5AE73
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4766D mov eax, dword ptr fs:[00000030h] 20_2_04B4766D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B47E41 mov eax, dword ptr fs:[00000030h] 20_2_04B47E41
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFAE44 mov eax, dword ptr fs:[00000030h] 20_2_04BFAE44
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BFAE44 mov eax, dword ptr fs:[00000030h] 20_2_04BFAE44
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B48794 mov eax, dword ptr fs:[00000030h] 20_2_04B48794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7794 mov eax, dword ptr fs:[00000030h] 20_2_04BB7794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7794 mov eax, dword ptr fs:[00000030h] 20_2_04BB7794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7794 mov eax, dword ptr fs:[00000030h] 20_2_04BB7794
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B737F5 mov eax, dword ptr fs:[00000030h] 20_2_04B737F5
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6E730 mov eax, dword ptr fs:[00000030h] 20_2_04B6E730
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5B73D mov eax, dword ptr fs:[00000030h] 20_2_04B5B73D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5B73D mov eax, dword ptr fs:[00000030h] 20_2_04B5B73D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B34F2E mov eax, dword ptr fs:[00000030h] 20_2_04B34F2E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B34F2E mov eax, dword ptr fs:[00000030h] 20_2_04B34F2E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5F716 mov eax, dword ptr fs:[00000030h] 20_2_04B5F716
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C08F6A mov eax, dword ptr fs:[00000030h] 20_2_04C08F6A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCFF10 mov eax, dword ptr fs:[00000030h] 20_2_04BCFF10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCFF10 mov eax, dword ptr fs:[00000030h] 20_2_04BCFF10
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6A70E mov eax, dword ptr fs:[00000030h] 20_2_04B6A70E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6A70E mov eax, dword ptr fs:[00000030h] 20_2_04B6A70E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0070D mov eax, dword ptr fs:[00000030h] 20_2_04C0070D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C0070D mov eax, dword ptr fs:[00000030h] 20_2_04C0070D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4FF60 mov eax, dword ptr fs:[00000030h] 20_2_04B4FF60
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4EF40 mov eax, dword ptr fs:[00000030h] 20_2_04B4EF40
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6F0BF mov ecx, dword ptr fs:[00000030h] 20_2_04B6F0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6F0BF mov eax, dword ptr fs:[00000030h] 20_2_04B6F0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6F0BF mov eax, dword ptr fs:[00000030h] 20_2_04B6F0BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B620A0 mov eax, dword ptr fs:[00000030h] 20_2_04B620A0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B790AF mov eax, dword ptr fs:[00000030h] 20_2_04B790AF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B39080 mov eax, dword ptr fs:[00000030h] 20_2_04B39080
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB3884 mov eax, dword ptr fs:[00000030h] 20_2_04BB3884
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB3884 mov eax, dword ptr fs:[00000030h] 20_2_04BB3884
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5B8E4 mov eax, dword ptr fs:[00000030h] 20_2_04B5B8E4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5B8E4 mov eax, dword ptr fs:[00000030h] 20_2_04B5B8E4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B340E1 mov eax, dword ptr fs:[00000030h] 20_2_04B340E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B340E1 mov eax, dword ptr fs:[00000030h] 20_2_04B340E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B340E1 mov eax, dword ptr fs:[00000030h] 20_2_04B340E1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B358EC mov eax, dword ptr fs:[00000030h] 20_2_04B358EC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov ecx, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 20_2_04BCB8D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A830 mov eax, dword ptr fs:[00000030h] 20_2_04B5A830
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A830 mov eax, dword ptr fs:[00000030h] 20_2_04B5A830
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A830 mov eax, dword ptr fs:[00000030h] 20_2_04B5A830
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B5A830 mov eax, dword ptr fs:[00000030h] 20_2_04B5A830
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6002D mov eax, dword ptr fs:[00000030h] 20_2_04B6002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6002D mov eax, dword ptr fs:[00000030h] 20_2_04B6002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6002D mov eax, dword ptr fs:[00000030h] 20_2_04B6002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6002D mov eax, dword ptr fs:[00000030h] 20_2_04B6002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B6002D mov eax, dword ptr fs:[00000030h] 20_2_04B6002D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4B02A mov eax, dword ptr fs:[00000030h] 20_2_04B4B02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4B02A mov eax, dword ptr fs:[00000030h] 20_2_04B4B02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4B02A mov eax, dword ptr fs:[00000030h] 20_2_04B4B02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B4B02A mov eax, dword ptr fs:[00000030h] 20_2_04B4B02A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7016 mov eax, dword ptr fs:[00000030h] 20_2_04BB7016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7016 mov eax, dword ptr fs:[00000030h] 20_2_04BB7016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB7016 mov eax, dword ptr fs:[00000030h] 20_2_04BB7016
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C01074 mov eax, dword ptr fs:[00000030h] 20_2_04C01074
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BF2073 mov eax, dword ptr fs:[00000030h] 20_2_04BF2073
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C04015 mov eax, dword ptr fs:[00000030h] 20_2_04C04015
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04C04015 mov eax, dword ptr fs:[00000030h] 20_2_04C04015
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B50050 mov eax, dword ptr fs:[00000030h] 20_2_04B50050
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B50050 mov eax, dword ptr fs:[00000030h] 20_2_04B50050
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB51BE mov eax, dword ptr fs:[00000030h] 20_2_04BB51BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB51BE mov eax, dword ptr fs:[00000030h] 20_2_04BB51BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB51BE mov eax, dword ptr fs:[00000030h] 20_2_04BB51BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04BB51BE mov eax, dword ptr fs:[00000030h] 20_2_04BB51BE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov eax, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov eax, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov eax, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov ecx, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 20_2_04B599BF mov eax, dword ptr fs:[00000030h] 20_2_04B599BF
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Code function: 8_2_051F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_051F9910

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\logagent.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: F70000 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: C80000 Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: AE0000 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 3100000 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 3110000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: AE0000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: AF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10410000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: DC0000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: DD0000 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 10410000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 3100000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 3110000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 10410000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: AE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: AF0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 10410000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: DC0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: DD0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10410000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 3110000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: AF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: DD0000 Jump to behavior
Source: C:\Users\user\Desktop\FedEx.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\logagent.exe" Jump to behavior
Source: C:\Users\Public\Libraries\Rvsuben.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 20.0.logagent.exe.10410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.logagent.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.logagent.exe.10410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.DpiScaling.exe.10410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600971102.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.663406978.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622514268.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601348197.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696412101.0000000003100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639113956.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.601926446.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.627979202.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658059430.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.478775786.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479688839.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.658204539.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.640834589.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.583342582.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.601178673.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582254970.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.639730390.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.550265684.000000000F23E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.622677419.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582967305.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.600603050.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479381669.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.696533789.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.479097118.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.582561192.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.695229674.0000000000E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs